lokibot

General

Target

09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06
Size

991KB
Sample

220521-w9lm9aeebr
MD5

b650d2a7c5a71109cf872ad301c424d4
SHA1

08e3f4f8d920bad2b87b0fa6f9ec9aaa89cd5384
SHA256

09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06
SHA512

c2abb72202ff643dc031aaa3b290b68c1a8267b9057116a7601cfe5e383e18a5840a5a7a017a157548777327ff347428be3967746fe6661995c3c1f28013be42

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://rnarport.com/deal/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SOA_#BA520865 APR20pdf.exe
- Size
  
  1.4MB
- MD5
  
  651f7592df60c78259741d1452987807
- SHA1
  
  e4a39cb28f1275bd13dd357ce5592f4dc975268f
- SHA256
  
  fba2d704c11e4e6016da0acc631c12bb8ded89d3c46eb5469aa98988844f8b7e
- SHA512
  
  c438fc13a08ac1b27004a92d818341c1151b7df74fe3c0514636d087044b82e20f1d451acc05554e96a2265a1e10eb704a3feccb46ed8660a75c49d5b1daf4b4
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2