lokibot | 9213594d63646a5144de658badc6f9fd4ac15ce711bac1f115ccdf08d74c8add | Triage

Sharing

General

Target

bank remittance.xlsx
Size

2.3MB
Sample

210114-qz6ycfdcj6
MD5

c29a880a76eb591fcb948223e6ea66c5
SHA1

2992ee94c58e1190f2222086ceb5e923d5977af3
SHA256

9213594d63646a5144de658badc6f9fd4ac15ce711bac1f115ccdf08d74c8add
SHA512

9064489ed4e5404218638161e5d2df0614578a711d643d098f5c0ee0ece96981a5cfcfedad22a6a4e20dc70a6ed32f9017f7ca50c699c9b8cd954dcb5d10851f

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://blueriiver-eu.com/chief/offor/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  bank remittance.xlsx
- Size
  
  2.3MB
- MD5
  
  c29a880a76eb591fcb948223e6ea66c5
- SHA1
  
  2992ee94c58e1190f2222086ceb5e923d5977af3
- SHA256
  
  9213594d63646a5144de658badc6f9fd4ac15ce711bac1f115ccdf08d74c8add
- SHA512
  
  9064489ed4e5404218638161e5d2df0614578a711d643d098f5c0ee0ece96981a5cfcfedad22a6a4e20dc70a6ed32f9017f7ca50c699c9b8cd954dcb5d10851f
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotspywarestealertrojan

behavioral2