lokibot | 9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d | Triage

Submit
Reports

Overview

overview

Static

static

TT Copy.doc

windows7_x64

TT Copy.doc

windows10_x64

1

Sharing

General

Target

TT Copy.doc
Size

957KB
Sample

210114-elbmjkmqvn
MD5

0d1f1658ad83475a2a3ba248f22b511d
SHA1

47f8a624486c5b3e689de2613ff2f25fedba8060
SHA256

9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
SHA512

f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20

Score

10^/10

lokibot netwire botnet persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

TT Copy.doc

Resource

win7v20201028

lokibot netwire botnet persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TT Copy.doc

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/cfOoZYb0LXPms

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  TT Copy.doc
- Size
  
  957KB
- MD5
  
  0d1f1658ad83475a2a3ba248f22b511d
- SHA1
  
  47f8a624486c5b3e689de2613ff2f25fedba8060
- SHA256
  
  9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
- SHA512
  
  f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20
Score

10^/10

lokibot netwire botnet persistence rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotnetwirebotnetpersistenceratspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy