lokibot | 20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234 | Triage

Submit
Reports

Overview

overview

Static

static

8

RAT.ppt

windows7_x64

RAT.ppt

windows10_x64

1

Sharing

General

Target

RAT.ppt
Size

87KB
Sample

200818-2h9kvp23px
MD5

996d8c68ecfe98a2ce25c177927a90e0
SHA1

538d30afcc2d003f95c5f82714134957c8957159
SHA256

20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234
SHA512

b9f2f992227632b86bcf2aad781738c2be173610bd41359fc581a89c7e4b44cac714385d28f7c967be2a31e8a3c33132aa6d5ced071d41c47aaa1f6c415cff1e

Score

10^/10

lokibot macro persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

RAT.ppt

Resource

win7v200722

lokibot persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RAT.ppt

Resource

win10

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/aKjCtLDg

Targets

- Target
  
  RAT.ppt
- Size
  
  87KB
- MD5
  
  996d8c68ecfe98a2ce25c177927a90e0
- SHA1
  
  538d30afcc2d003f95c5f82714134957c8957159
- SHA256
  
  20b52843f8e11a925f7008ffe96848e846099130c0c23bd80b3f3c6ee726e234
- SHA512
  
  b9f2f992227632b86bcf2aad781738c2be173610bd41359fc581a89c7e4b44cac714385d28f7c967be2a31e8a3c33132aa6d5ced071d41c47aaa1f6c415cff1e
Score

10^/10

lokibot persistence spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotpersistencespywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy