lokibot

General

Target

COAU7229898130.docx
Size

10KB
Sample

210617-hpxeg8smwn
MD5

df55074a5f0dba2b6f7b2ed4bd0601da
SHA1

017070ff75fcb217aa19ea0c8b198652945ce38f
SHA256

8e62450fb766f0cebe41c3492b79151a8ecdccdd491bf4c32cc4691948a0d020
SHA512

b6e5d88c7bb21d56922f4b269d130bd4c79a7b52f2d03eedcf191a88e0ad7ff7e98bf1df656fbde2ab04cb5e6a4f54fced47192e00718e1a6cdc98f7c44c43ec

Score

10^/10

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://dummy_username@0147.0205.0152.0110/-................................................................-/--------------------.....................------------------.wbk

Extracted

Family

lokibot

C2

http://eyecos.ga/akin/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  COAU7229898130.docx
- Size
  
  10KB
- MD5
  
  df55074a5f0dba2b6f7b2ed4bd0601da
- SHA1
  
  017070ff75fcb217aa19ea0c8b198652945ce38f
- SHA256
  
  8e62450fb766f0cebe41c3492b79151a8ecdccdd491bf4c32cc4691948a0d020
- SHA512
  
  b6e5d88c7bb21d56922f4b269d130bd4c79a7b52f2d03eedcf191a88e0ad7ff7e98bf1df656fbde2ab04cb5e6a4f54fced47192e00718e1a6cdc98f7c44c43ec
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2