Overview

overview

10

Static

static

3

c915841a4e...18.exe

windows7-x64

10

c915841a4e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c915841a4eb00c3079f64a7dc369b5f6_JaffaCakes118

  • Size

    320KB

  • Sample

    240829-sp74zazgrk

  • MD5

    c915841a4eb00c3079f64a7dc369b5f6

  • SHA1

    3dee99e7e5a550dfdfec8c4d203b85a7687bc8b4

  • SHA256

    60d0ec26812039a01f693d6726fc116a549c9924ce3eb52f2b0a5f44a01f8f84

  • SHA512

    cdf927e1772fdca17ade5f7c25a070fd76d87ca85110abe4038f484141878a3c0750668ec62b7811b4e4e3ad73c5e6d7c24a1258bc2f7612b804498dfb4015d4

  • SSDEEP

    6144:eRviASYpvoDQyMxVzI+61qFjGFo3Iwb3hylIx0cvLsUBNqGnC11aHR8U8jA7BZ:eViA9RoDQyMxP68FiMIa3h2mgcqGCfc4

Score
10/10
lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://smundukdapodik.sch.id/sql/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      c915841a4eb00c3079f64a7dc369b5f6_JaffaCakes118

    • Size

      320KB

    • MD5

      c915841a4eb00c3079f64a7dc369b5f6

    • SHA1

      3dee99e7e5a550dfdfec8c4d203b85a7687bc8b4

    • SHA256

      60d0ec26812039a01f693d6726fc116a549c9924ce3eb52f2b0a5f44a01f8f84

    • SHA512

      cdf927e1772fdca17ade5f7c25a070fd76d87ca85110abe4038f484141878a3c0750668ec62b7811b4e4e3ad73c5e6d7c24a1258bc2f7612b804498dfb4015d4

    • SSDEEP

      6144:eRviASYpvoDQyMxVzI+61qFjGFo3Iwb3hylIx0cvLsUBNqGnC11aHR8U8jA7BZ:eViA9RoDQyMxP68FiMIa3h2mgcqGCfc4

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks