lokibot | c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab | Triage

Submit
Reports

Overview

overview

Static

static

tmp/c2a82b...ab.xls

windows7_x64

tmp/c2a82b...ab.xls

windows10_x64

1

Sharing

General

Target

tmp/c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab.xls
Size

229KB
Sample

211206-j1pbkadegl
MD5

dd939aae349dc2b9add3f26114da4a73
SHA1

160a127eecd37636c220f5c149913259d017717a
SHA256

c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab
SHA512

3acfb39ccd30f17eb390229200ad92301e17cb84ff726ff587e8644c1b96f610cc4913e2f59c0409a6c53546ea7d262e79732a938b2171e74d9daed47914b52f

Score

10^/10

lokibot collection spyware stealer suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp/c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab.xls

Resource

win7-en-20211014

lokibot collection spyware stealer suricata trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tmp/c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab.xls

Resource

win10-en-20211104

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/gb22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  tmp/c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab.xls
- Size
  
  229KB
- MD5
  
  dd939aae349dc2b9add3f26114da4a73
- SHA1
  
  160a127eecd37636c220f5c149913259d017717a
- SHA256
  
  c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab
- SHA512
  
  3acfb39ccd30f17eb390229200ad92301e17cb84ff726ff587e8644c1b96f610cc4913e2f59c0409a6c53546ea7d262e79732a938b2171e74d9daed47914b52f
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealersuricatatrojan

behavioral2

© 2018-2024

Terms | Privacy