lokibot | a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298 | Triage

Submit
Reports

Overview

overview

Static

static

AMOUNT REC...c.xlsx

windows7_x64

AMOUNT REC...c.xlsx

windows10_x64

1

Sharing

General

Target

AMOUNT RECIEPT.doc.xlsx
Size

1.2MB
Sample

210728-yysp5954aj
MD5

a746a19a87ba1b76b2e453c0ac7131e9
SHA1

893dba0bd9b59d313207c3e91711988271306a8d
SHA256

a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298
SHA512

f2ce5fa31859d2d4b9ba25cc29333eace054e58b5fae466fe3561137b6081a82c61dbce00e1cb0561b6e66f5934cbf517442a572563b0bf72c160c5e1b9dccec

Score

10^/10

lokibot spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

AMOUNT RECIEPT.doc.xlsx

Resource

win7v20210408

lokibot spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

AMOUNT RECIEPT.doc.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  AMOUNT RECIEPT.doc.xlsx
- Size
  
  1.2MB
- MD5
  
  a746a19a87ba1b76b2e453c0ac7131e9
- SHA1
  
  893dba0bd9b59d313207c3e91711988271306a8d
- SHA256
  
  a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298
- SHA512
  
  f2ce5fa31859d2d4b9ba25cc29333eace054e58b5fae466fe3561137b6081a82c61dbce00e1cb0561b6e66f5934cbf517442a572563b0bf72c160c5e1b9dccec
Score

10^/10

lokibot spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy