lokibot | 86104b114c8a2df3ff733fc9729d3c27953318807281735c21033705789d5a7b | Triage

Submit
Reports

Overview

overview

Static

static

MVSEACON KOBE.xlsx

windows7_x64

MVSEACON KOBE.xlsx

windows10_x64

1

Sharing

General

Target

MVSEACON KOBE.xlsx
Size

349KB
Sample

211029-jzeqqshfdj
MD5

fc7daf6ca0e28139a632fd9c7dcd3fe1
SHA1

49b48b54c2bc7570db20c27890a2726cc55c90f5
SHA256

86104b114c8a2df3ff733fc9729d3c27953318807281735c21033705789d5a7b
SHA512

b7fba001505e4855b65b82512cd1c573e645aa1a81180ef31f24f4fa4c74256f19bddb0ce54477b772dedfd57a7afe6e83e9235240bac7af6dd7a90d978f6492

Score

10^/10

lokibot collection spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

MVSEACON KOBE.xlsx

Resource

win7-en-20211014

lokibot collection spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

MVSEACON KOBE.xlsx

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/ga18/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  MVSEACON KOBE.xlsx
- Size
  
  349KB
- MD5
  
  fc7daf6ca0e28139a632fd9c7dcd3fe1
- SHA1
  
  49b48b54c2bc7570db20c27890a2726cc55c90f5
- SHA256
  
  86104b114c8a2df3ff733fc9729d3c27953318807281735c21033705789d5a7b
- SHA512
  
  b7fba001505e4855b65b82512cd1c573e645aa1a81180ef31f24f4fa4c74256f19bddb0ce54477b772dedfd57a7afe6e83e9235240bac7af6dd7a90d978f6492
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy