Overview

overview

10

Static

static

1

Saudi Aram...18.rtf

windows7-x64

10

Saudi Aram...18.rtf

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf335d340e7bbc13feaf408905eb499b_JaffaCakes118

  • Size

    554KB

  • Sample

    240824-xhydeatena

  • MD5

    bf335d340e7bbc13feaf408905eb499b

  • SHA1

    a27597faf8346513f98a0c811634009d2843b57c

  • SHA256

    3bd473a0d0ceaafda5293fcea396b160d32ef60d7a083b152b78fcb2a124abdd

  • SHA512

    ddc1f6174ba87be654eef95e70396204bb2841698f2d6dd2df0752c37e9cfd90b5841be643a9dfefd2aa6230d8e60cd650e6547ad473b723a4ecdb2cfcb156c7

  • SSDEEP

    12288:h+WhWEyIu3ErzRYi/ZxtbS3IWWq6Pk3HnnYhPsvKYRtUM:hIRI3rzRv/JbS7Wq6WYAXRtU

Score
10/10
lokibotcollectioncredential_accessdefense_evasiondiscoveryspywarestealertrojan

Malware Config

Targets

    • Target

      Saudi Aramco Purchase Order Ref090418.doc

    • Size

      506KB

    • MD5

      ef03d6c77f9299473e82c6cccfefb0c3

    • SHA1

      1038ba22fead7e33c82cc159feb340692a975096

    • SHA256

      325a2e914289e94063ddb91a2cd54320c185917e8e78f760aaf54ad66d2f6523

    • SHA512

      312785af42f51daaf3127dab36be0b3a4bbb1f1e4d136785fce39d8a01db7f606abd3e3933df234c28dabf4d215649eacc68355b0383853fde503bac461453cf

    • SSDEEP

      12288:g+WhWEyIu3ErzRYi/ZxtbS3IWWq6Pk3HnnYhPsvKYRtUMe:gIRI3rzRv/JbS7Wq6WYAXRtUz

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojandefense_evasion

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks