Overview

overview

10

Static

static

7

51613d3c02...18.exe

windows7-x64

10

51613d3c02...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    51613d3c02ff020c361baa8e753baecc_JaffaCakes118

  • Size

    370KB

  • Sample

    240729-tkz38s1apf

  • MD5

    51613d3c02ff020c361baa8e753baecc

  • SHA1

    f07665774e22bbf978d32db4988e03b4cd644c42

  • SHA256

    5b33d0b9c6e4adc3e453adaa5205a07c05b24ba5e784e53905bc0428c11e9f8b

  • SHA512

    d38da3ce7eecd3b445c41fc2fcc8633c583e2df61f7277c7f408c689008df33c8547f590e1175f0272f1c52ffaa2692068c8c2e3e521204d1a7533ea03f4db30

  • SSDEEP

    6144:mAPc0Oksx85QuVnizQcce08yIO5SMvqz25JDgksL6NjzWohHhUzZ4nI8:mTb3859oQcce08AdvP5JDJWMHWZ

Score
10/10
lokibotaspackv2collectioncredential_accessdiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://89.46.223.82/cebral/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      51613d3c02ff020c361baa8e753baecc_JaffaCakes118

    • Size

      370KB

    • MD5

      51613d3c02ff020c361baa8e753baecc

    • SHA1

      f07665774e22bbf978d32db4988e03b4cd644c42

    • SHA256

      5b33d0b9c6e4adc3e453adaa5205a07c05b24ba5e784e53905bc0428c11e9f8b

    • SHA512

      d38da3ce7eecd3b445c41fc2fcc8633c583e2df61f7277c7f408c689008df33c8547f590e1175f0272f1c52ffaa2692068c8c2e3e521204d1a7533ea03f4db30

    • SSDEEP

      6144:mAPc0Oksx85QuVnizQcce08yIO5SMvqz25JDgksL6NjzWohHhUzZ4nI8:mTb3859oQcce08AdvP5JDJWMHWZ

    Score
    10/10
    lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks