Overview

overview

10

Static

static

5

3c608c1499...01.exe

windows7-x64

10

3c608c1499...01.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c608c14993fca8a9f2ff71fb276fc949392106ec8104a92abee7b5c9c78fc01

  • Size

    943KB

  • Sample

    241022-rpvyzayhmd

  • MD5

    6352e630f546c09b45d31db7803373a8

  • SHA1

    062289733c62a387d9c808978de7d77c316de465

  • SHA256

    3c608c14993fca8a9f2ff71fb276fc949392106ec8104a92abee7b5c9c78fc01

  • SHA512

    9f4560d5c3be25cf4822d6485bf9540c11dd781ee1918212f269d6b1e1304f6127e3e56cfe5d563b82ca0e45165d282afdb401ae82a2fcbedaadd8531f2917c9

  • SSDEEP

    12288:Etb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgazP2bDhRBmPU6A:Etb20pkaCqT5TBWgNQ7azuXXBmU6A

Score
10/10
bdaejeclokibotaspackv2backdoorcollectiondiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://www.dobiamfollollc.online:3777/vogxhf/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Targets

    • Target

      3c608c14993fca8a9f2ff71fb276fc949392106ec8104a92abee7b5c9c78fc01

    • Size

      943KB

    • MD5

      6352e630f546c09b45d31db7803373a8

    • SHA1

      062289733c62a387d9c808978de7d77c316de465

    • SHA256

      3c608c14993fca8a9f2ff71fb276fc949392106ec8104a92abee7b5c9c78fc01

    • SHA512

      9f4560d5c3be25cf4822d6485bf9540c11dd781ee1918212f269d6b1e1304f6127e3e56cfe5d563b82ca0e45165d282afdb401ae82a2fcbedaadd8531f2917c9

    • SSDEEP

      12288:Etb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgazP2bDhRBmPU6A:Etb20pkaCqT5TBWgNQ7azuXXBmU6A

    Score
    10/10
    bdaejeclokibotaspackv2backdoorcollectiondiscoverypersistencespywarestealertrojan

    • Bdaejec

      Bdaejec is a backdoor written in C++.

      backdoorbdaejec

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks