lokibot | 4767c646c40f6ceace8139de145a631a308ae5c3fe3f2868bd36477009920446 | Triage

Sharing

General

Target

4767c646c40f6ceace8139de145a631a308ae5c3fe3f2868bd36477009920446
Size

1015KB
Sample

220521-n292waeed4
MD5

4616f486e2142fb7488719f2e132edaf
SHA1

7af4f630c22437e06229999575c6dc620c5f0adc
SHA256

4767c646c40f6ceace8139de145a631a308ae5c3fe3f2868bd36477009920446
SHA512

0ce701ca1450276b862ef0bc5d2eb0e44107a4617c18bbc840310f89b35f88d215a2f1fd01c830019bfe9ab636040a20c0cf6c551f134bff2c78ba4d5626b5f0

Score

10^/10

lokibot remcos warzonerat collection evasion infostealer persistence rat spyware stealer trojan

Malware Config

Targets

- Target
  
  ISF form == 20030316 M#EGLV003090032432.scr
- Size
  
  584KB
- MD5
  
  7de6d9395aafb8bd1720692f8c3e8397
- SHA1
  
  b46eb569d352fe5dc0cc5c3f67fe6474a09a514f
- SHA256
  
  5cd183da8ceb32dfce5219ece25684d9eb1624ca8e0ec30e374219732944c8e5
- SHA512
  
  46433ffdb7c7d31518e5030e40cfb5045878e0e11f57458c3316eb1ccafaec31297c0bb5836fa1f1ab151fa690bb8d8a72fcfb5c063425a594c1b2914ce32b08
Score

10^/10

remcos evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Invoice & Packing list EGLV003090032432.scr
- Size
  
  571KB
- MD5
  
  165255e7fef985bb6a76cdd5dc0f3efe
- SHA1
  
  4d4f455814cb607ae530fa589c6d1d3ed9e4173d
- SHA256
  
  3266b45cbefcbd64ebc0b8e2a120a98e5fd72b94135c33a2f36aa510d9dbc207
- SHA512
  
  10bfa4823ab3207b6a2ee0f9ddc0163ae7f5ebf12bf8589a9c2c72c59b31426b31699baacbf0b57ea4aeea897e8bf28cb9c3ffc4863b2c0ebba2e64ce636f818
Score

10^/10

warzonerat infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  VGM ==#EGLV003090032432.scr
- Size
  
  566KB
- MD5
  
  513f868cd3e85eaab2a9264a3060a63a
- SHA1
  
  d0e6de28c03de8249877b745c459d0335e67dbe5
- SHA256
  
  6fd7ef78c4314252a4e7360e1d93222f3812333f4fc7148c0c6dc9da8c122b7e
- SHA512
  
  910048913ba4bf5fbc814642510e66cd6b5511052eae91ac21b24d25550fa7ca2b877a989c24785fe7cf00868d5f136438ce75873ba9239ecdb83153b5698eba
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosevasionpersistencerattrojan

behavioral2

remcosevasionpersistencerattrojan

behavioral3

warzoneratinfostealerpersistencerat

behavioral4

warzoneratinfostealerpersistencerat

behavioral5

lokibotcollectionspywarestealertrojan

behavioral6

lokibotcollectionspywarestealertrojan