lokibot

General

Target

Request I 1212291.exe
Size

1.1MB
Sample

201221-s4xh7v9rgn
MD5

9743f77306df1b9b41e98a3984241816
SHA1

22a389b55e1fac3652b42e90a4da816e51d8821e
SHA256

c21689a611138420f9dc0e59ab074794939c097007c2f3518ecf40eed5115917
SHA512

15367158bed35f289a4bdc765a53b3eb18fefebbdd1c4b9aae9b6c665cc12d3766aabe5c5b38fa06721b6fefebc9ecf76f3fd71937a9d79190145efb1c2ae9dd

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://gandokiblit.pw/.blessdnewweek/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Request I 1212291.exe
- Size
  
  1.1MB
- MD5
  
  9743f77306df1b9b41e98a3984241816
- SHA1
  
  22a389b55e1fac3652b42e90a4da816e51d8821e
- SHA256
  
  c21689a611138420f9dc0e59ab074794939c097007c2f3518ecf40eed5115917
- SHA512
  
  15367158bed35f289a4bdc765a53b3eb18fefebbdd1c4b9aae9b6c665cc12d3766aabe5c5b38fa06721b6fefebc9ecf76f3fd71937a9d79190145efb1c2ae9dd
Score

10^/10

lokibot modiloader persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader First Stage
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ModiLoader, DBatLoader

ModiLoader First Stage

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2