Overview

overview

10

Static

static

3

Scan Document.exe

windows7-x64

10

Scan Document.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e794524e1b45cc7ddc29fb4c45c360ae_JaffaCakes118

  • Size

    376KB

  • Sample

    240917-yhrras1glj

  • MD5

    e794524e1b45cc7ddc29fb4c45c360ae

  • SHA1

    e5049672ced5ba2317f20387c02f040490a0adce

  • SHA256

    ea105dc94b4189edab2ab9b3acb7f54bc499d748b0aa5660e3e6e886996c9d75

  • SHA512

    38e34eaaa1baca27d3f4f2f933be58f5ed79c48629ee7f3120b413eb36d0f9d52b2657157c8e9179a2afc89afad6d4e962bd8f91524e4ce7a4e7feba113f68f9

  • SSDEEP

    6144:nHabKEezxgf6T9aPcXZdwnE4vIcXpzQ7Y8uLblbh8uVqXEghYV+Td+t9BgJV:HabKE2W6T95ZH4NBCYRblbuuVq0g+t9e

Score
10/10
lokibotcollectioncredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://136.243.159.53/~element/page.php?id=450

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Scan Document.exe

    • Size

      1014KB

    • MD5

      7fbd7f08ffb9037ac5d7107e539ab81e

    • SHA1

      7d82892230cb3d8b730d1147a1d14dc1b9e6f0f7

    • SHA256

      e7a9b78a46bf8d944ddf1c33ec0b455220dc72f3b17328b6942dcf0e80f2a60e

    • SHA512

      a77fd766e16d2a8bf011bc5205fe81f5c09201cc9861dd4c3cea0d9f90447c90e2c059e3bff78381a8be9b8b7404a08c8861073014e7608db689339e8875bf8d

    • SSDEEP

      12288:EpYu9QiWABwT63RYiDoAo8VIZZ4sA+iuNZXjux:EpYuSiQT2WFAsZZPbiuNsx

    Score
    10/10
    lokibotcollectioncredential_accessdiscoveryevasionspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks