General
-
Target
a5acd8d9b083db24f0daec6ccbabebd9_JaffaCakes118
-
Size
376KB
-
Sample
240613-qaxzcatglj
-
MD5
a5acd8d9b083db24f0daec6ccbabebd9
-
SHA1
447ad52414e3c5115ba6e802bd4fbd654ec91402
-
SHA256
ffaf52f4182ba67689862f11e595d00de1dcb5ba6623bd06e3f9d9fadb41f0e6
-
SHA512
bc5bd0abf441fdf8ab6d1a53b11bc2e46b01ac62050295722c2d8cf475b694a6e93f8482d9a42233d042e471cb65c7312b1a45b4bccefae7cb40ce382eba3356
-
SSDEEP
6144:qG1i/uHQ9DnjrizxNpXl7+EwD/oma2MknDI1de/3Ljthuw:qG1i/P9LKtq0mFMYEi/1x
Malware Config
Extracted
lokibot
http://rubuoru1.ml/gata/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://orubuoru1.ml/gata/fre.php
Targets
-
-
Target
a5acd8d9b083db24f0daec6ccbabebd9_JaffaCakes118
-
Size
376KB
-
MD5
a5acd8d9b083db24f0daec6ccbabebd9
-
SHA1
447ad52414e3c5115ba6e802bd4fbd654ec91402
-
SHA256
ffaf52f4182ba67689862f11e595d00de1dcb5ba6623bd06e3f9d9fadb41f0e6
-
SHA512
bc5bd0abf441fdf8ab6d1a53b11bc2e46b01ac62050295722c2d8cf475b694a6e93f8482d9a42233d042e471cb65c7312b1a45b4bccefae7cb40ce382eba3356
-
SSDEEP
6144:qG1i/uHQ9DnjrizxNpXl7+EwD/oma2MknDI1de/3Ljthuw:qG1i/P9LKtq0mFMYEi/1x
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-