tmp

Target

tmp

Size

178KB

Sample

220514-ryn7saace9

Score

10 ^/10

MD5

fefc2d8ef05916189407d8917c61ba13

SHA1

92aa5269b897b91a220dbb70ac54c27807486fa4

SHA256

9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

SHA512

8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

Extracted

Family	lokibot
C2	http://hyatqfuh9olahvxf.gq/BN3/fre.php http://kbfvzoboss.bid/alien/fre.php http://alphastand.trade/alien/fre.php http://alphastand.win/alien/fre.php http://alphastand.top/alien/fre.php http://hyatqfuh9olahvxf.gq/BN3/fre.php http://kbfvzoboss.bid/alien/fre.php http://alphastand.trade/alien/fre.php http://alphastand.win/alien/fre.php http://alphastand.top/alien/fre.php

Target

tmp

MD5

fefc2d8ef05916189407d8917c61ba13

Filesize

178KB

Score

10^/10

SHA1

92aa5269b897b91a220dbb70ac54c27807486fa4

SHA256

9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

SHA512

8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

Signatures

Lokibot
Description

Lokibot is a Password and CryptoCoin Wallet Stealer.
Tags

trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
Description

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
Tags

suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
Description

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
Tags

suricata
suricata: ET MALWARE LokiBot Checkin
Description

suricata: ET MALWARE LokiBot Checkin
Tags

suricata
suricata: ET MALWARE LokiBot Fake 404 Response
Description

suricata: ET MALWARE LokiBot Fake 404 Response
Tags

suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
Description

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
Tags

suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
Description

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
Tags

suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Description

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Tags

suricata
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Description

Infostealers often target stored browser data, which can include saved credentials etc.
Tags

spyware stealer

TTPs

Data from Local SystemCredentials in Files
Accesses Microsoft Outlook profiles
Tags

collection

TTPs

Email Collection
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

lokibot collection spyware stealer suricata trojan

10^/10

behavioral2

lokibot collection spyware stealer suricata trojan

10^/10

Extracted

Tags

Signatures

Lokibot

Description

Tags

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Description

Tags

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

Description

Tags

suricata: ET MALWARE LokiBot Checkin

Description

Tags

suricata: ET MALWARE LokiBot Fake 404 Response

Description

Tags

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

Description

Tags

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

Description

Tags

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Description

Tags

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Description

Tags

TTPs

Accesses Microsoft Outlook profiles

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2