General

  • Target

    bde947cf1cc2222555adf5663d22dbd9_JaffaCakes118

  • Size

    318KB

  • Sample

    240824-fbet2svhjk

  • MD5

    bde947cf1cc2222555adf5663d22dbd9

  • SHA1

    62e4e165a06a0836a87f95edac374f0890a7a238

  • SHA256

    2da3b290d194ac229997800af1e300ceb8a1ed7954fdddfe7d1c9f97438adf88

  • SHA512

    25db2382d6ebf34b8bd8ac91750ad0c57f63518d8d153b3c1f95d9ddcc1f1d992be5d2293069c1af98cef90edc489ec4bc6ba38b962307a85bab6c50cd4c7523

  • SSDEEP

    6144:OBfWI0FDHuZYGA0DrfbwhuxdPpRdlJWrG9K30efvpMO+vzM8:4fV0FjuZRA4rbwoRUrGI30gpBIzP

Malware Config

Extracted

Family

lokibot

C2

https://www.ritcophysiotherapy.com.au/wap121/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      IMG-2021-17-02557000015.exe

    • Size

      427KB

    • MD5

      8ad87cebd9aaadd8a385fa504863e532

    • SHA1

      68e8214ff89b2c93f147bdc797889b25b85a2ee5

    • SHA256

      ef44e807ff152bb2c5f6ed11f573087872f0fdf1baaa0e31b7767c5723e503e7

    • SHA512

      53c88bce7495219b6b35bfaba1756ed04ba8ac9a05ededcd7752a4656369cf492d111b4b823c93e57ed41379eeb71e027446990e600216ba23ed427946201037

    • SSDEEP

      6144:IBb6rFigZaGASvJfbwhmxdPpndlNWrG9mx3Xf1pM4+h+0LX:IBGYgZTA+9bwUnwrGYrpZGL

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks