lokibot | c84daab0159e54c17bbb8ff7c7d61111fef8588a9a540f5b5f74eb66aa1d1265 | Triage

Submit
Reports

Overview

overview

Static

static

VDI-QUOTAT...T.xlsx

windows7_x64

VDI-QUOTAT...T.xlsx

windows10_x64

1

Sharing

General

Target

VDI-QUOTATION-PAYMENT.xlsx
Size

229KB
Sample

211125-vgv6jsfhdj
MD5

1325c1dc4db5e238475858c2feaa326a
SHA1

9f611b8cfd41c1dc854ab0f3bad6437bcc309a74
SHA256

c84daab0159e54c17bbb8ff7c7d61111fef8588a9a540f5b5f74eb66aa1d1265
SHA512

4a42596ff13261dd7779d0b6213520370b8e0ef4ba2e8e237c74cb5969693dea720e28d2197c22dde74e264989fe61fc1af98da6581d0a65f2921b990d235847

Score

10^/10

lokibot collection spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

VDI-QUOTATION-PAYMENT.xlsx

Resource

win7-en-20211014

lokibot collection spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

VDI-QUOTATION-PAYMENT.xlsx

Resource

win10-en-20211104

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/fd4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  VDI-QUOTATION-PAYMENT.xlsx
- Size
  
  229KB
- MD5
  
  1325c1dc4db5e238475858c2feaa326a
- SHA1
  
  9f611b8cfd41c1dc854ab0f3bad6437bcc309a74
- SHA256
  
  c84daab0159e54c17bbb8ff7c7d61111fef8588a9a540f5b5f74eb66aa1d1265
- SHA512
  
  4a42596ff13261dd7779d0b6213520370b8e0ef4ba2e8e237c74cb5969693dea720e28d2197c22dde74e264989fe61fc1af98da6581d0a65f2921b990d235847
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy