Overview

overview

10

Static

static

3

Ship88912.exe

windows7-x64

10

Ship88912.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f60d16e31c8268c130a48c185e3c68c0_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240925-p2fzgazapc

  • MD5

    f60d16e31c8268c130a48c185e3c68c0

  • SHA1

    c09e4c988d4a0bb3ed0a23dc076cc75755bbc919

  • SHA256

    07a06726b001214b35d0adc289dcf0b31c2aedbde4700f6e8f14135550e66b65

  • SHA512

    503b323df1777bb75d6a90c1b1b3bf1f36d13f5439b109b3f28da61bafec7b70483dfab5537029ebffe1d9b427dc496b1412a11092f2c440d516bc25badf6f4d

  • SSDEEP

    24576:dmWWuTOOZCoMLFgg0SyPI8xq0njBOsdHWR3loRfFfxa6zF2z9d+Ygb:dmiBSeOOohtShFBFo+fb

Score
10/10
lokibotdiscoverypersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://joombus.duckdns.org/loko/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Ship88912.exe

    • Size

      1.1MB

    • MD5

      c253e553c97f0a6295948eb14a83ac1e

    • SHA1

      fe268438c44460810bf807023f5f0d7ddbfd1b3d

    • SHA256

      10b64ef8b15aa2fb82dabc075926b0810bdbe60c528ee82d75d0c01c32ddcb76

    • SHA512

      80d6b74f211a3e58497a6107c16e25664c90a0afc4740107a09307c8411de9b3fc4d33badbc69cbaee8727b5b954cf1862ea7eb7b5a93fed99b05db9788a048a

    • SSDEEP

      24576:zglru6TUwOeILMLEle0wyPcPtvA9njXORV97TlWR3VoRVFtPaKTF2VvdwSfv:cSIE0OvWTktiLFPFYmgv

    Score
    10/10
    lokibotdiscoveryspywarestealertrojanpersistenceprivilege_escalation

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks