General

  • Target

    JaffaCakes118_9abecba4048736535f6d2ed1269cf7781300fb6d0232ab5e55e3b29fc10f0489

  • Size

    55.5MB

  • Sample

    241223-rv4s3askfw

  • MD5

    65d85199a916d6339f7e38d9dc657649

  • SHA1

    2f1ed8461587c9359b51a9dc61bfba30bde37eda

  • SHA256

    9abecba4048736535f6d2ed1269cf7781300fb6d0232ab5e55e3b29fc10f0489

  • SHA512

    0b3451470d734ac9fded507568f229ab3ff24f6a8f065e11e1766b5e145f5ae181b0dc8b5fdd10341775c88b60ffd45136d00b04a67f9ae13bb2bcf492407f43

  • SSDEEP

    786432:FnWKklib8bsVVL4Wjq8AYwz4iqqDZyGF0rx30nrDFFkBa5Ofo0ZCo8ht:FnWRo/fLjjhAYwVq/GFex3sFu8w5wjt

Malware Config

Extracted

Family

lokibot

C2

http://37.0.11.227/droidtwo/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      692A640F.exe

    • Size

      55.7MB

    • MD5

      5fbd4b8995f1ecfa3239a9dbdf631baf

    • SHA1

      4ca5b1f438d0aeeb3251abe0935071b2d2db1a61

    • SHA256

      945a03df112866cd0d1da3b476f674aa81c556df2ceab354eb4ff545888e27f2

    • SHA512

      e0a89fdb9f7db7ebeeb39fc227d3494b010aa0543302296d8aeed15fb8059bc11ba12c3989e931493d8c15a1fb6098a7272491a14d4f3334f10a40933e64eef9

    • SSDEEP

      786432:6tfwmcJmV7q/PwAfDekqcta3Wk6znnFztsy7Arsc64kyqhgxoABkyyU9za3YkyAx:xmcJGu3wAfiwaGfRp7XxXyqCxF+3bV

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v15

Tasks