lokibot | 741d450b9e333f111f71bb64a12d63ebdd8d5bc0bc7bb73f2acc3017a1431b60 | Triage

Sharing

General

Target

SPARE PARTS Provision List.xlsx
Size

1.1MB
Sample

210721-h8tyvdw4ls
MD5

9659fa20cf8ef697ef1ab8327fe34bbc
SHA1

fa42bdf404d2a12fe5bfdad717f6c574c14e0aff
SHA256

741d450b9e333f111f71bb64a12d63ebdd8d5bc0bc7bb73f2acc3017a1431b60
SHA512

5196ec75b0387422794c953390365ee0ba361b12b3e418aca0fcd7d655d2d506a7925510e6afc3615fcf71ddfae0451132f3c6484cf54a9c9840cc53be5f39aa

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SPARE PARTS Provision List.xlsx
- Size
  
  1.1MB
- MD5
  
  9659fa20cf8ef697ef1ab8327fe34bbc
- SHA1
  
  fa42bdf404d2a12fe5bfdad717f6c574c14e0aff
- SHA256
  
  741d450b9e333f111f71bb64a12d63ebdd8d5bc0bc7bb73f2acc3017a1431b60
- SHA512
  
  5196ec75b0387422794c953390365ee0ba361b12b3e418aca0fcd7d655d2d506a7925510e6afc3615fcf71ddfae0451132f3c6484cf54a9c9840cc53be5f39aa
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotspywarestealertrojan

behavioral2