lokibot | 619a1fe68a1abdabd1b77f4bf3be91d5b5df789d9d941f3fe69ac201935cc1e6 | Triage

Sharing

General

Target

Swift_INV0880021152020.xlsx
Size

2.3MB
Sample

210115-ccyanqlc8a
MD5

4b4cee24aa613f71e4c48f872fcde74e
SHA1

5e720a0637ef8395ab5ef2656a5c9732828ee731
SHA256

619a1fe68a1abdabd1b77f4bf3be91d5b5df789d9d941f3fe69ac201935cc1e6
SHA512

1403b862fa5da81373443ac1510455ebaa61102f7c3a5fee694adcfc77993adfc67861a393a5ee15ef9e7a0a266936979700bf7d441c953a18c6519af9ed14c2

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://lmpulsefashion.net/chief/boss/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Swift_INV0880021152020.xlsx
- Size
  
  2.3MB
- MD5
  
  4b4cee24aa613f71e4c48f872fcde74e
- SHA1
  
  5e720a0637ef8395ab5ef2656a5c9732828ee731
- SHA256
  
  619a1fe68a1abdabd1b77f4bf3be91d5b5df789d9d941f3fe69ac201935cc1e6
- SHA512
  
  1403b862fa5da81373443ac1510455ebaa61102f7c3a5fee694adcfc77993adfc67861a393a5ee15ef9e7a0a266936979700bf7d441c953a18c6519af9ed14c2
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotspywarestealertrojan