lokibot | b7ee3ada772d88b86d6f285aecbf7b0ab5273522af3766223b06c3163d48991c | Triage

Sharing

General

Target

PROFORMANew PO N. FM 22062021.xlsx
Size

1.2MB
Sample

210624-7ctx5cf41e
MD5

f61308f87b0af6dfc5433561025f9ab1
SHA1

ad4bd9e24ea51bc8d58dd38f628b69fb87476a5c
SHA256

b7ee3ada772d88b86d6f285aecbf7b0ab5273522af3766223b06c3163d48991c
SHA512

241e1abbb118053dc67b58fef842b8ad93391537da6f7e146ef27e39a03d693c2fcb749d393162a70cb46874e9c83447a74ded10c16eb4fb274c7a133d84fd95

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/S4wFP8QBww9Tp

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  PROFORMANew PO N. FM 22062021.xlsx
- Size
  
  1.2MB
- MD5
  
  f61308f87b0af6dfc5433561025f9ab1
- SHA1
  
  ad4bd9e24ea51bc8d58dd38f628b69fb87476a5c
- SHA256
  
  b7ee3ada772d88b86d6f285aecbf7b0ab5273522af3766223b06c3163d48991c
- SHA512
  
  241e1abbb118053dc67b58fef842b8ad93391537da6f7e146ef27e39a03d693c2fcb749d393162a70cb46874e9c83447a74ded10c16eb4fb274c7a133d84fd95
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotspywarestealertrojan

behavioral2