lokibot | 2744fde6ef0640d9d3b6bbd02e2a89a2c38370cd6e9cbe33b580f9c87db33776 | Triage

Sharing

General

Target

Estimate amount payment for December 2020.xlsx
Size

1.5MB
Sample

210113-j5anrvnwbn
MD5

d20c75f4f7e511d452554d8ad503d646
SHA1

5fd75bee1ff268b392e9c76303278f51a3270cec
SHA256

2744fde6ef0640d9d3b6bbd02e2a89a2c38370cd6e9cbe33b580f9c87db33776
SHA512

deea56293452e9158523dddb5f6253cd5bf187350e24203f693b9363f2c568ee9dfe5eb6dd4bf16e5aa97d03226b72cc30b6f3c23fb8e9906ff5265101e3c18b

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://azzmtool.com/chief/offor/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Estimate amount payment for December 2020.xlsx
- Size
  
  1.5MB
- MD5
  
  d20c75f4f7e511d452554d8ad503d646
- SHA1
  
  5fd75bee1ff268b392e9c76303278f51a3270cec
- SHA256
  
  2744fde6ef0640d9d3b6bbd02e2a89a2c38370cd6e9cbe33b580f9c87db33776
- SHA512
  
  deea56293452e9158523dddb5f6253cd5bf187350e24203f693b9363f2c568ee9dfe5eb6dd4bf16e5aa97d03226b72cc30b6f3c23fb8e9906ff5265101e3c18b
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotspywarestealertrojan

behavioral2