General

  • Target

    d10802a1d8dc26fb051bfc094b9df5f2_JaffaCakes118

  • Size

    1005KB

  • Sample

    240907-el4eqateqk

  • MD5

    d10802a1d8dc26fb051bfc094b9df5f2

  • SHA1

    298773d29a60ae7e61d706981e9645858eb15e76

  • SHA256

    90b927e6a1137c0a5b0e745fc4e15c6740dc874fc42dded08f12ba925beb7a4b

  • SHA512

    1b2e80f1f294f5c4a26ae310711013b8e871e87b2ba4cca8fdd0383ef76015e2969ea38dd702e791578a3f92900b01c719b249697db7049fb18254041ddce004

  • SSDEEP

    12288:LpJI10GZWigk1EbnvrdCWp/EV6CUm20F0iLs8ouaih+NTKYlKhPk5f1jDjNt76Sa:NsRWigkonvpv26CUBxnihaTsaN7+SeN

Malware Config

Extracted

Family

lokibot

C2

http://replaxed.ru/amb-1/fred.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      d10802a1d8dc26fb051bfc094b9df5f2_JaffaCakes118

    • Size

      1005KB

    • MD5

      d10802a1d8dc26fb051bfc094b9df5f2

    • SHA1

      298773d29a60ae7e61d706981e9645858eb15e76

    • SHA256

      90b927e6a1137c0a5b0e745fc4e15c6740dc874fc42dded08f12ba925beb7a4b

    • SHA512

      1b2e80f1f294f5c4a26ae310711013b8e871e87b2ba4cca8fdd0383ef76015e2969ea38dd702e791578a3f92900b01c719b249697db7049fb18254041ddce004

    • SSDEEP

      12288:LpJI10GZWigk1EbnvrdCWp/EV6CUm20F0iLs8ouaih+NTKYlKhPk5f1jDjNt76Sa:NsRWigkonvpv26CUBxnihaTsaN7+SeN

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks