lokibot | 5d4e35e3913b9a46150bcc2ba94e971a643465a143ba91fee659d6827fe828e1 | Triage

Sharing

General

Target

download(1).zip
Size

606KB
Sample

210430-6pz486pe96
MD5

edab91f4d832a9c0e6f43dddc6d239fe
SHA1

b6919e3980187a39748963f134d5509170a58fe4
SHA256

5d4e35e3913b9a46150bcc2ba94e971a643465a143ba91fee659d6827fe828e1
SHA512

b40f822f773843bcf0e46598e4a28fa94063914d634b55e701561536fb1e47bd70d30fe8234184d99b9da364c852dc26d8c90aba5c99040b23b1a1d809fd335e

Score

10^/10

lokibot xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Extracted

Family

lokibot

C2

http://bobydomain.com/okfile/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  FACTURA.exe
- Size
  
  259KB
- MD5
  
  dbe8f4544e6c99ac9311d37139150e9a
- SHA1
  
  14da5f434e987b372a2e783d49134877bcce9ebe
- SHA256
  
  c3192d94f1b44c9c8ce94f3865d88b1a169dde10f3dadf3a517c3de34487a5a5
- SHA512
  
  25a785d5d9cd19bf0e9805dee79433140de4cd5fc3384e292ec6421089f0560fdb44fcb0a2eed8a2774f9d3a89a6c30b5cc1248756d3b44125e478bc991e8a41
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  URGENT Request for Quotation.pdf.exe
- Size
  
  742KB
- MD5
  
  2c06382d5825ffba5cbe2e40c6b3c60e
- SHA1
  
  8b3b2f5a7dec1cf208abf3409cf13c1216d2edd8
- SHA256
  
  193f9577a84d3863b8499fde73484d510ba4f4235b93ad2d25195f57f78bd7ef
- SHA512
  
  39119f150e7cc8cfe7d9aa6cc96e9e1afdadeafbf7dc026faafb7c1be6175adc89a0e54275d3cdc04d4ea724b9a96a11a77c986c43662e6e8abb2ad33c69e367
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xloaderloaderrat

behavioral2

xloaderloaderrat

behavioral3

lokibotspywarestealertrojan

behavioral4

lokibotspywarestealertrojan