Overview

overview

10

Static

static

EDT0932774733.js

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    add582068ab9a1ed7e6ed81dbbcec44ac95334fccf3db1c6ff8df32801599caa

  • Size

    992B

  • Sample

    210727-w6lhl2vw5a

  • MD5

    d55ed0ef6c4f4f49f20ab8d899537305

  • SHA1

    32799950eb686078e943154b546d685e95fb9530

  • SHA256

    add582068ab9a1ed7e6ed81dbbcec44ac95334fccf3db1c6ff8df32801599caa

  • SHA512

    fea31c0466326668014dcad3efee4b8c38a9f291d43e5c72aac87004e5b32451d4c6d350e4142ed54a5e551ef9470b1ce4bcab4d399a5c69619f7b9a188f3da6

Score
10/10
lokibotevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://ikloki.xyz/vf/cf/mo.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      EDT0932774733.js

    • Size

      2KB

    • MD5

      5db667c7131d5b139e1a0d8bbb049776

    • SHA1

      463e9819a2bc38907ecc003a2885aef188e69a4d

    • SHA256

      1a734745804a9a182e2ec2d86d6e065e720a8d469931a6e8cd48853385237138

    • SHA512

      501154d9c45cef0045de2f39a0bbffcbedc012c59698d3e2587b12159d2ee1979576854ded0f8ba57cf9a483bf9a2d3576c21a64341236361afcc2f4ee70c7fd

    Score
    10/10
    lokibotevasionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks