Overview

overview

10

Static

static

3

6fb96d0e2a...18.exe

windows7-x64

10

6fb96d0e2a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6fb96d0e2a871a7d43fbdfb2f7c180c8_JaffaCakes118

  • Size

    633KB

  • Sample

    240725-qhh56azhlr

  • MD5

    6fb96d0e2a871a7d43fbdfb2f7c180c8

  • SHA1

    3ee27ba1fba38592c413cba126f1911a9853c63e

  • SHA256

    1a730ab5a834e3ec6e9ec7ab3f1bef307d13dd6377b4a625c5491922dcfefc12

  • SHA512

    6d45714efbd99cf6a647549d3ce4e93949e5be5d618ccfed1eb5a5b39478880686ca96a932239df6dbb93c0811f25542fe5daaba544acfa748fb740aa1c5c5cc

  • SSDEEP

    12288:jt3I3upu1gy8KtqskIGSRiUIhvI8w/YO+H1Jc+uL1mpO:p3I3upu1Q8SzaTjMw1qO

Score
10/10
lokibotcollectioncredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://finairinhopgopt.sytes.net/IjfOlJFP/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      6fb96d0e2a871a7d43fbdfb2f7c180c8_JaffaCakes118

    • Size

      633KB

    • MD5

      6fb96d0e2a871a7d43fbdfb2f7c180c8

    • SHA1

      3ee27ba1fba38592c413cba126f1911a9853c63e

    • SHA256

      1a730ab5a834e3ec6e9ec7ab3f1bef307d13dd6377b4a625c5491922dcfefc12

    • SHA512

      6d45714efbd99cf6a647549d3ce4e93949e5be5d618ccfed1eb5a5b39478880686ca96a932239df6dbb93c0811f25542fe5daaba544acfa748fb740aa1c5c5cc

    • SSDEEP

      12288:jt3I3upu1gy8KtqskIGSRiUIhvI8w/YO+H1Jc+uL1mpO:p3I3upu1Q8SzaTjMw1qO

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryevasionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks