lokibot | 9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0
Size

323KB
Sample

211108-29h51sbbcq
MD5

4038f440c0d6f5d10280803843645ab0
SHA1

bc093bdb85b04517c8a6feae8b2d95c9b8f7fb95
SHA256

9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0
SHA512

22dd15ec16f7731913b9ed2ecfb952bf9c44ecfe1b9aaf67447e5252a2b0209631d1a9ba7d5097e2b9fd0a8675e84476a7fcfce36720fa7d3b7f487146042d9f

Score

10^/10

lokibot neshta collection persistence spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe

Resource

win10-en-20211014

lokibot neshta collection persistence spyware stealer suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0
- Size
  
  323KB
- MD5
  
  4038f440c0d6f5d10280803843645ab0
- SHA1
  
  bc093bdb85b04517c8a6feae8b2d95c9b8f7fb95
- SHA256
  
  9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0
- SHA512
  
  22dd15ec16f7731913b9ed2ecfb952bf9c44ecfe1b9aaf67447e5252a2b0209631d1a9ba7d5097e2b9fd0a8675e84476a7fcfce36720fa7d3b7f487146042d9f
Score

10^/10

lokibot neshta collection persistence spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotneshtacollectionpersistencespywarestealersuricatatrojan

© 2018-2024

Terms | Privacy