lokibot | 3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51 | Triage

Submit
Reports

Overview

overview

Static

static

tas0v3FvZSBpyH2.exe

windows7_x64

tas0v3FvZSBpyH2.exe

windows10_x64

Sharing

General

Target

tas0v3FvZSBpyH2.exe
Size

676KB
Sample

201109-zy2hdtrb5j
MD5

557353bdbd122177a75fe9b79e5b4242
SHA1

5815cf11845fb0eac0634fe7422b27f6f51163f5
SHA256

3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
SHA512

e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74

Score

10^/10

lokibot snakebot coreentity rezer0 snakebot spyware stealer trojan

Static task

static1

snakebot snakebot

Behavioral task

behavioral1

Sample

tas0v3FvZSBpyH2.exe

Resource

win7v20201028

lokibot coreentity rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tas0v3FvZSBpyH2.exe

Resource

win10v20201028

lokibot coreentity rezer0 spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://skull3.ga/martins27/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  tas0v3FvZSBpyH2.exe
- Size
  
  676KB
- MD5
  
  557353bdbd122177a75fe9b79e5b4242
- SHA1
  
  5815cf11845fb0eac0634fe7422b27f6f51163f5
- SHA256
  
  3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
- SHA512
  
  e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74
Score

10^/10

lokibot coreentity rezer0 spyware stealer trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- rezer0
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

snakebotsnakebot

behavioral1

lokibotcoreentityrezer0spywarestealertrojan

behavioral2

lokibotcoreentityrezer0spywarestealertrojan

© 2018-2024

Terms | Privacy