lokibot | 0a00b3f54e580bd83e27806dd4b9a5dfa207cdef1b687fcac362766a5b919453 | Triage

Submit
Reports

Overview

overview

Static

static

NEW-ORDER23FG.exe

windows7_x64

NEW-ORDER23FG.exe

windows10-2004_x64

Sharing

General

Target

0a00b3f54e580bd83e27806dd4b9a5dfa207cdef1b687fcac362766a5b919453
Size

318KB
Sample

220521-ex6n8ahha4
MD5

55b844a17223c250d0b4b67ae22ac5b5
SHA1

8d5f2c87ed3aa7d55a4d2d1159c75c291562d6ed
SHA256

0a00b3f54e580bd83e27806dd4b9a5dfa207cdef1b687fcac362766a5b919453
SHA512

0caf19480bc81ecb69c2655ee1bb82b8a06c3b9e5c6f7c320a35d0e35aaf20ace972d9b3252be77d66fc729f496cd58dde9f64cdabe412fc77ad7cdc0d0bae93

Score

10^/10

lokibot collection evasion spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

NEW-ORDER23FG.exe

Resource

win7-20220414-en

lokibot collection evasion spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

NEW-ORDER23FG.exe

Resource

win10v2004-20220414-en

lokibot collection evasion spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://mecharnise.ir/ea1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  NEW-ORDER23FG.exe
- Size
  
  257KB
- MD5
  
  0c3227b06f7434d5ad34ab48563ba8b0
- SHA1
  
  8814d1f397ad035f2f899ed4957271912c1bb327
- SHA256
  
  af34abd9ebf843a20d33224397e71493847e1c903082bb39f4c3029da58d5b05
- SHA512
  
  c1a1bb71e3e63f74ef8153f24a03b83c1d3b826054078f12cbfdca698cf5e1559ae1c6fd1612f27f1a4a4c8550e9a4467bfd4e7ef01d0074244c1efa4cfda8c4
Score

10^/10

lokibot collection evasion spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionspywarestealertrojan

behavioral2

lokibotcollectionevasionspywarestealertrojan

© 2018-2024

Terms | Privacy