General

  • Target

    bf_5star_ramp.zip

  • Size

    581KB

  • Sample

    240530-q2stpsbg46

  • MD5

    7c15fb5351b2b4680e6b9be6cc533245

  • SHA1

    90472cc847e9a7230219a44d8ccb3f5a971d8c07

  • SHA256

    a70cc7f12aff2a014fcf99cc2ffc7de8e3022c67e966d90b13fdc4f651a326fe

  • SHA512

    86437a7328c9a03784bcd414f7b887c8914ee1810924bcc75d794bd1c6b64e445e35c3bfa0f065361f050c3152017c9ed4a4666b72e3df98a2eee82aa04a2fb4

  • SSDEEP

    12288:K0KMJpwbJ9TNUKjNeFSQ03JajwO+7RhHWgkmZEDIsWC:rpYxQ03k0L/H6tIRC

Malware Config

Extracted

Family

lokibot

C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      bf_5star_ramp.zip

    • Size

      581KB

    • MD5

      7c15fb5351b2b4680e6b9be6cc533245

    • SHA1

      90472cc847e9a7230219a44d8ccb3f5a971d8c07

    • SHA256

      a70cc7f12aff2a014fcf99cc2ffc7de8e3022c67e966d90b13fdc4f651a326fe

    • SHA512

      86437a7328c9a03784bcd414f7b887c8914ee1810924bcc75d794bd1c6b64e445e35c3bfa0f065361f050c3152017c9ed4a4666b72e3df98a2eee82aa04a2fb4

    • SSDEEP

      12288:K0KMJpwbJ9TNUKjNeFSQ03JajwO+7RhHWgkmZEDIsWC:rpYxQ03k0L/H6tIRC

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks