lokibot

General

Target

fd5192b610be989cb52672c465a7eda401056546429f8cd671011ce48762ce3a
Size

686KB
Sample

220521-xzhz2sgacl
MD5

18646a3e12769be2b7e42cd7c6ca7c91
SHA1

a53a65a97baa09c14299d9f494b2c9604879be19
SHA256

fd5192b610be989cb52672c465a7eda401056546429f8cd671011ce48762ce3a
SHA512

189511ea4dac5e0729ab6fc0d78c1f1c867682513b6e34d81bd1da638dcfd789948173fc02940eb22a76d4d6835171914184fc17c30c3165d8cdd5016a7cfafc

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://rnarport.com/dino/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  HSBC Beneficiary Payment Advice_PDF.exe
- Size
  
  1.1MB
- MD5
  
  b263766734bce939291e23e8c0951513
- SHA1
  
  205cac9b1f22bcc10cb156ced28ccd0adc01f025
- SHA256
  
  84c9cac8f78ed172c006be7798ee6d1be614306b6a7b956ac68d2f74c4fa0e71
- SHA512
  
  87fb8a715ad78ff0d4d24b34ecac27f4febfd2ac20a305cca9edfc7c6bb82a8608d62911627623456f4b86f990f241c3ee1c0dcf46f716e773c0b8b88fdb13e9
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2