lokibot | d03d6a763a133ec9a9de300bfb993f5231b76da17f318043968121aad350b598 | Triage

Submit
Reports

Overview

overview

Static

static

RFQQuote-R...83.exe

windows7_x64

RFQQuote-R...83.exe

windows10_x64

Sharing

General

Target

RFQQuote-REF MOITB102125083.gz
Size

228KB
Sample

211026-jlzhzshham
MD5

d1ca5f940218b1f6f4e6a7e8aaec48c8
SHA1

a78c5efd7975fdd827e069b9f824c4adac3c5c30
SHA256

d03d6a763a133ec9a9de300bfb993f5231b76da17f318043968121aad350b598
SHA512

8260bee7f14004746f54e82993eb6f72d92a77e22278d1bfca7efe80f16a20d499bf8fe1ff834efb22fbe7283c4de52561db4447303679af86c0185499a22e47

Score

10^/10

lokibot collection evasion spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

RFQQuote-REF MOITB102125083.exe

Resource

win7-en-20211014

lokibot collection evasion spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

RFQQuote-REF MOITB102125083.exe

Resource

win10-en-20210920

lokibot collection evasion spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

https://ilyasautotech.com.au/totech/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  RFQQuote-REF MOITB102125083.exe
- Size
  
  244KB
- MD5
  
  ce9243796ed9bb455d7bc29aee7566e9
- SHA1
  
  ee4734a153490f8df53b3f5e8032f60f7812f04c
- SHA256
  
  aad8c3e8a386500fd5c0080ed040775c5210d1ec54deddc1073d5643df4a083a
- SHA512
  
  b310ddc229b2394a26ebb7afab2f16f9068a7f70e68c8a8a47f3dae81723f3c549bd0c8fd392ef978877238dc9ee36853cc44fd581c8ce4652e4a72482451365
Score

10^/10

lokibot collection evasion spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionspywarestealersuricatatrojan

behavioral2

lokibotcollectionevasionspywarestealersuricatatrojan

© 2018-2024

Terms | Privacy