General
-
Target
eeaa7f99337e043d590cc21b4e24eece_JaffaCakes118
-
Size
2.2MB
-
Sample
240920-3q37hsvflk
-
MD5
eeaa7f99337e043d590cc21b4e24eece
-
SHA1
a517be28d8fbc2a5c4c91ef27c55bff3fa9e6baa
-
SHA256
34f9dfcc766eaba14087b30209c5eb8856f7cbea2600f71f4e31eaab85d3db0b
-
SHA512
66270f0fd598b38227697198cd2d33eb9fd2f07aa9e5ee8b07554d9ec4b90f6886985b5f3a1beef634efb4fd25379d161e1974a529f3dfcc79454dc4fe9a1b55
-
SSDEEP
24576:fadJQrQVLRMYZJk9kFvk+6mADR8To1Vzh3KFHtqneNrzjzfA5a5pU9aOXUP2brPy:f3rqUK8dDjh3QN8ic4+UOb4RueGlWOBS
Malware Config
Extracted
xtremerat
frigetraassse3.net
Extracted
lokibot
http://lagenceengineering.com/wp-includes/fonts/app/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
eeaa7f99337e043d590cc21b4e24eece_JaffaCakes118
-
Size
2.2MB
-
MD5
eeaa7f99337e043d590cc21b4e24eece
-
SHA1
a517be28d8fbc2a5c4c91ef27c55bff3fa9e6baa
-
SHA256
34f9dfcc766eaba14087b30209c5eb8856f7cbea2600f71f4e31eaab85d3db0b
-
SHA512
66270f0fd598b38227697198cd2d33eb9fd2f07aa9e5ee8b07554d9ec4b90f6886985b5f3a1beef634efb4fd25379d161e1974a529f3dfcc79454dc4fe9a1b55
-
SSDEEP
24576:fadJQrQVLRMYZJk9kFvk+6mADR8To1Vzh3KFHtqneNrzjzfA5a5pU9aOXUP2brPy:f3rqUK8dDjh3QN8ic4+UOb4RueGlWOBS
Score10/10-
Detect XtremeRAT payload
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-