Overview

overview

10

Static

static

60233fbb1b...bb.exe

windows7_x64

1

60233fbb1b...bb.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

  • Size

    583KB

  • Sample

    220521-yhx83sgbgr

  • MD5

    6b69dad98e1d8005f36ab1119c305ab6

  • SHA1

    9590a0c12559b6b7c14354d81e4230ed9f451ef5

  • SHA256

    60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb

  • SHA512

    35ea539e2fc35abf2301372591902b43d4027196411f2d293f4f68db9e615f4d356025a76d5f28d1861d9d6752aa46505066e52c5352378644e14228cb250c4e

Score
10/10
lokibotcollectionevasionpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=7347525472263042

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb.exe

    • Size

      583KB

    • MD5

      6b69dad98e1d8005f36ab1119c305ab6

    • SHA1

      9590a0c12559b6b7c14354d81e4230ed9f451ef5

    • SHA256

      60233fbb1bbd1ce75f4d4a7852b473d4bdc2f489745069e0fcff434108586bbb

    • SHA512

      35ea539e2fc35abf2301372591902b43d4027196411f2d293f4f68db9e615f4d356025a76d5f28d1861d9d6752aa46505066e52c5352378644e14228cb250c4e

    Score
    10/10
    lokibotcollectionevasionpersistencespywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks