General

  • Target

    029eb98299179f49091147d34fad1ea6_JaffaCakes118

  • Size

    243KB

  • Sample

    240930-wnhz8sybrp

  • MD5

    029eb98299179f49091147d34fad1ea6

  • SHA1

    4284cc0cf7029dc27558ee8c61f7e49248db67ea

  • SHA256

    e9e3490df4628c80e10723892c75cd036d340e4a09ca9527c5710e1b01e3847a

  • SHA512

    9c00f00d034270e1dcbf1bcbbfb19c666d2e3e282dfe0070fdc15504f3111e27d6491990047c2dcd587a3a61cd12bb184df281ad09166ffbcfaa75876713f54c

  • SSDEEP

    6144:+5DLv1td3qE1FZon9Xvt6Qt/5o6WP56vw6d:cv1qWfo9XvMQrCr6d

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.5/sxisodifntose.php/EgoLIndJyyfQs

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      029eb98299179f49091147d34fad1ea6_JaffaCakes118

    • Size

      243KB

    • MD5

      029eb98299179f49091147d34fad1ea6

    • SHA1

      4284cc0cf7029dc27558ee8c61f7e49248db67ea

    • SHA256

      e9e3490df4628c80e10723892c75cd036d340e4a09ca9527c5710e1b01e3847a

    • SHA512

      9c00f00d034270e1dcbf1bcbbfb19c666d2e3e282dfe0070fdc15504f3111e27d6491990047c2dcd587a3a61cd12bb184df281ad09166ffbcfaa75876713f54c

    • SSDEEP

      6144:+5DLv1td3qE1FZon9Xvt6Qt/5o6WP56vw6d:cv1qWfo9XvMQrCr6d

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks