lokibot | be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

RFQ Global Trading SPA 04.img.com
Size

701KB
Sample

200716-zyxg68k3sa
MD5

87fb3a6d060e833e4eb6c74d229b3f03
SHA1

3ff4e981c4f2dfcdf014632c9f412de6d14a3a1c
SHA256

be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
SHA512

c4aefed653b191fc1297a1f1b2584f093619e2ffac0db402325d0ddff7b2fa7604e9e56cd3461261124c9575997868dd3778d36330d9db2724faa76c11b4693b

Score

10^/10

lokibot persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://fixerrors-mail.ga/holy/five/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  RFQ Global Trading SPA 04.img.com
- Size
  
  701KB
- MD5
  
  87fb3a6d060e833e4eb6c74d229b3f03
- SHA1
  
  3ff4e981c4f2dfcdf014632c9f412de6d14a3a1c
- SHA256
  
  be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
- SHA512
  
  c4aefed653b191fc1297a1f1b2584f093619e2ffac0db402325d0ddff7b2fa7604e9e56cd3461261124c9575997868dd3778d36330d9db2724faa76c11b4693b
Score

10^/10

persistence spyware trojan stealer lokibot
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistencespywaretrojanstealerlokibot