lokibot

General

Target

IMG_50617.pdf.exe
Size

1.0MB
Sample

210118-fflga99fsa
MD5

32a192ebfa3cda2c1b161d48886d152f
SHA1

9e36a01df4d0b3f27a409d1e743037854872fa69
SHA256

58eddddb217d2439b4c23060412039bca6f9a3e52fc83e3f7e4dbd5e62bfc611
SHA512

1f4382050d9de2ba12addee135de22097b4269975d62e1c0055022aa8d3d234afada4da0dc2f923eb76ad50383e105db4dfe86f42b20b766afcf4bbe477a148b

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://185.206.215.56/morx/1/cgi.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  IMG_50617.pdf.exe
- Size
  
  1.0MB
- MD5
  
  32a192ebfa3cda2c1b161d48886d152f
- SHA1
  
  9e36a01df4d0b3f27a409d1e743037854872fa69
- SHA256
  
  58eddddb217d2439b4c23060412039bca6f9a3e52fc83e3f7e4dbd5e62bfc611
- SHA512
  
  1f4382050d9de2ba12addee135de22097b4269975d62e1c0055022aa8d3d234afada4da0dc2f923eb76ad50383e105db4dfe86f42b20b766afcf4bbe477a148b
Score

10^/10

lokibot persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2