lokibot | 4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab | Triage

Submit
Reports

Overview

overview

Static

static

tas0v3FvZSBpyH2.exe

windows7_x64

tas0v3FvZSBpyH2.exe

windows10-2004_x64

Sharing

General

Target

4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab
Size

317KB
Sample

220521-dke53aahcq
MD5

a796500fb70218260a23af6b86890776
SHA1

1bc9a256beae11acada5b9514cd29c9fdf5b1820
SHA256

4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab
SHA512

0c221b5d5170e4822197d3a6ca7c9aba0fe10568b9ece7a8367c9872a6d3ab97186ee2224fe9229af1fd156631cb7910dcabbc26e7ce66a810d5b450f166911d

Score

10^/10

lokibot snakebot collection coreentity rezer0 snakebot spyware stealer trojan

Static task

static1

snakebot snakebot

Behavioral task

behavioral1

Sample

tas0v3FvZSBpyH2.exe

Resource

win7-20220414-en

lokibot snakebot collection coreentity rezer0 snakebot spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

tas0v3FvZSBpyH2.exe

Resource

win10v2004-20220414-en

lokibot snakebot collection snakebot spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://skull3.ga/martins27/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  tas0v3FvZSBpyH2.exe
- Size
  
  676KB
- MD5
  
  557353bdbd122177a75fe9b79e5b4242
- SHA1
  
  5815cf11845fb0eac0634fe7422b27f6f51163f5
- SHA256
  
  3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
- SHA512
  
  e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74
Score

10^/10

lokibot snakebot collection coreentity rezer0 snakebot spyware stealer trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- SnakeBOT
  SnakeBOT is a heavily obfuscated .NET downloader.
  snakebot
- Contains SnakeBOT related strings
  snakebot
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

snakebotsnakebot

behavioral1

lokibotsnakebotcollectioncoreentityrezer0snakebotspywarestealertrojan

behavioral2

lokibotsnakebotcollectionsnakebotspywarestealertrojan

© 2018-2024

Terms | Privacy