Overview

overview

10

Static

static

3

c27d4d5dfb...18.exe

windows7-x64

10

c27d4d5dfb...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c27d4d5dfbcf43a1a7f5d9cc551ab757_JaffaCakes118

  • Size

    2.5MB

  • Sample

    240826-hnsb1s1aqf

  • MD5

    c27d4d5dfbcf43a1a7f5d9cc551ab757

  • SHA1

    c0fd7f8e72f1afda0a86362ac105aa9058e6d7f3

  • SHA256

    7f21600677d8de69f712bd233b48a637436b883d26fdcf805cdac20abeb8e0dc

  • SHA512

    981c930badb796bd319235c69a5fd2ec6ea3ae1bae95a3ec5cce68cd4bfb7fe25adf18dd52333c161a52e173badc6a0520699c5d4d4d2a21a3c0677312811e33

  • SSDEEP

    49152:QuoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGV:QvX0zlC6mJ98WZcQ1a7

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/NyO3EiWYgxXgy

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      c27d4d5dfbcf43a1a7f5d9cc551ab757_JaffaCakes118

    • Size

      2.5MB

    • MD5

      c27d4d5dfbcf43a1a7f5d9cc551ab757

    • SHA1

      c0fd7f8e72f1afda0a86362ac105aa9058e6d7f3

    • SHA256

      7f21600677d8de69f712bd233b48a637436b883d26fdcf805cdac20abeb8e0dc

    • SHA512

      981c930badb796bd319235c69a5fd2ec6ea3ae1bae95a3ec5cce68cd4bfb7fe25adf18dd52333c161a52e173badc6a0520699c5d4d4d2a21a3c0677312811e33

    • SSDEEP

      49152:QuoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGV:QvX0zlC6mJ98WZcQ1a7

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks