lokibot

General

Target

PO_60577.scr
Size

1.1MB
Sample

210113-rb74cfjf72
MD5

000af790102eb884cfb98b2e4cf50d5a
SHA1

aaa6182f2db7d3608e131f5badf612c7e4ab3377
SHA256

c75e2b1752bd8221bd68fea21243915af2a92834a23d148a46e41b370badfd18
SHA512

3693c63e07eb23185a7bf8d64a25f4128e13e20441827319db6f3f6a320f6472ba494b60cb69be8c5fbb7c634d0af90c671248632df852408faf5d76b10d72c7

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://185.206.215.56/r-1/cgi.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  PO_60577.scr
- Size
  
  1.1MB
- MD5
  
  000af790102eb884cfb98b2e4cf50d5a
- SHA1
  
  aaa6182f2db7d3608e131f5badf612c7e4ab3377
- SHA256
  
  c75e2b1752bd8221bd68fea21243915af2a92834a23d148a46e41b370badfd18
- SHA512
  
  3693c63e07eb23185a7bf8d64a25f4128e13e20441827319db6f3f6a320f6472ba494b60cb69be8c5fbb7c634d0af90c671248632df852408faf5d76b10d72c7
Score

10^/10

lokibot persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2