Overview

overview

10

Static

static

3

Payment Ad...sx.exe

windows7-x64

10

Payment Ad...sx.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

vynl0gnzsf.dll

windows7-x64

3

vynl0gnzsf.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    88e2f69d61f75610b12de81d0adb6681_JaffaCakes118

  • Size

    146KB

  • Sample

    240811-eemtdsterm

  • MD5

    88e2f69d61f75610b12de81d0adb6681

  • SHA1

    4349695f8a44d222931f62c7bb0cf5b80bfa6085

  • SHA256

    dec38c01fb4919cb36510e11966b44b0a645150db0453c1d99865130b434b04c

  • SHA512

    7832b4f01de6a27f2d2a17aa669dc113f2aedb3cdd64c36359a0dcfc138dfcaea7de05e4fd7a16a0b87d76c1d8d91c18afd363dcd90aa2e10f752262615bb0aa

  • SSDEEP

    3072:uwrQ6tusnj3Oliu9hF0oIq0l1uK5nN3BCITw+yH75LifU52i0QFmWZRBdmwCfpB8:ulDL+9EI6LZltTdmwCfM

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://newrokshipping.com/rich/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Payment Advice____xlsx.exe

    • Size

      160KB

    • MD5

      eb095eb21bb3e08a1ce7705ad3c9b06a

    • SHA1

      1ce05bf7caac0ad9b7daded79653c9d106db3c86

    • SHA256

      55bc57b1996aa965f40419a7a6c02a711b36ae03709cb09acef7ca47b50cd3e1

    • SHA512

      82eaa33cf43fc77350a897cfdf61d266cb419ea5ffcc3cc8c92cc73855c724d116caf032254cd26a1102e745a4871228c3b24159f9fe804c5661d07fb56d5b29

    • SSDEEP

      3072:7AwC5wP7dePo8fCcFbZgzKJ/n4crjfpyZrmfLrqt6ogVL32ElovB:7x/M/ZgzKtn4cfBSr6tTzloJ

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

    • SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    • SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    • SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    • SSDEEP

      192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      vynl0gnzsf.dll

    • Size

      17KB

    • MD5

      9d511fba89bde65b4e28210b010c9d77

    • SHA1

      cc46b5a117ca777a723422e9c68838f8e675598f

    • SHA256

      3687fab11f377acc4d63b693a02ab21d14c22911f289b3ad8b19011400adc758

    • SHA512

      fae30a137f093179716b780fce6ecb952abdaeeebc63745ae2cf5bd553203a252cfa5edd1c91bc31b2813dd3124c7282ae7ae706583a5bef1952cf78bcee29bb

    • SSDEEP

      384:thEXpyZyASk87Xbl3JZcQ1Dq0V6xExZDGw2fLUQRGFEjpVE:H6szSDXbvZcQlqqnGw2grEj

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks