General
-
Target
tmp
-
Size
155KB
-
Sample
220521-jlztraeabp
-
MD5
62a3e5d4ed5c3edf4f5b2aa432511a84
-
SHA1
05a066b53dad076bb488146c3e141337f005d57c
-
SHA256
780e7d5477ad9a5ac1e3254a8741fffc7a3274be0e0c986aca2c5438c7ecede7
-
SHA512
48da403d56bc45a40e39032aa1ac8e3e9cbe1295a85f8e8b2946e9ac9bc2896caf8fe994f89a3117a7f7c7b4038082e735a86002373296c3397e6fb45db6de86
Malware Config
Extracted
lokibot
http://sempersim.su/gg1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tmp
-
Size
155KB
-
MD5
62a3e5d4ed5c3edf4f5b2aa432511a84
-
SHA1
05a066b53dad076bb488146c3e141337f005d57c
-
SHA256
780e7d5477ad9a5ac1e3254a8741fffc7a3274be0e0c986aca2c5438c7ecede7
-
SHA512
48da403d56bc45a40e39032aa1ac8e3e9cbe1295a85f8e8b2946e9ac9bc2896caf8fe994f89a3117a7f7c7b4038082e735a86002373296c3397e6fb45db6de86
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-