General
-
Target
de397189fe82a4ebe1598831d5cd01cf_JaffaCakes118
-
Size
844KB
-
Sample
240913-mx5qxsyerh
-
MD5
de397189fe82a4ebe1598831d5cd01cf
-
SHA1
39984742479582109c98eca42b6c94ef694f3e37
-
SHA256
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
-
SHA512
5cef478bca9be0e27f13e084b1fa79382511be8b142d549002cd95929aade9b49fa74201228a5fa9f906f2d5acd31f2dbb6aa83d54ae97e2b206ee12a6a26388
-
SSDEEP
12288:Fv0A/gEFKsIHLJ+lyMziSR9De65ASncRoLoXTerDsFJTO187DuyNsKOOmIKsXhii:RFKLriziS1NtoqrgTO8yKDDsluiH
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/kdPYBLiWHt5e8
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
de397189fe82a4ebe1598831d5cd01cf_JaffaCakes118
-
Size
844KB
-
MD5
de397189fe82a4ebe1598831d5cd01cf
-
SHA1
39984742479582109c98eca42b6c94ef694f3e37
-
SHA256
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
-
SHA512
5cef478bca9be0e27f13e084b1fa79382511be8b142d549002cd95929aade9b49fa74201228a5fa9f906f2d5acd31f2dbb6aa83d54ae97e2b206ee12a6a26388
-
SSDEEP
12288:Fv0A/gEFKsIHLJ+lyMziSR9De65ASncRoLoXTerDsFJTO187DuyNsKOOmIKsXhii:RFKLriziS1NtoqrgTO8yKDDsluiH
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-