lokibot | 4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924 | Triage

Submit
Reports

Overview

overview

Static

static

quotation(...a).exe

windows7_x64

quotation(...a).exe

windows10-2004_x64

Sharing

General

Target

4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924
Size

165KB
Sample

220524-1jlb1shab9
MD5

7228a31a21294c843be421ec18a5bbc8
SHA1

a4076e09b181f8ca2b43d155a1b4e2434de10b90
SHA256

4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924
SHA512

7547ddf291d9054beb9ed185b1aa6081edae489b46dc62d46fc46b7d86ad3048b73c39ca10af62789c305cd4c67b205bc39914f4ce55e4b7d9db3fe280cb4e89

Score

10^/10

lokibot collection evasion rezer0 spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

quotation(CIF Yokohama).exe

Resource

win7-20220414-en

lokibot collection evasion rezer0 spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

quotation(CIF Yokohama).exe

Resource

win10v2004-20220414-en

lokibot collection evasion spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

https://nnasout.com/loo/need/work/Panel/five/fre.php?

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  quotation(CIF Yokohama).exe
- Size
  
  222KB
- MD5
  
  2eef9ae522288b3b5a93ddf1c4b10222
- SHA1
  
  f4f6538e30789dccda884c706cb61a194cd7da00
- SHA256
  
  352a06a48ddb77e75cd54264c213c7adfe6a70c1bbb89f453cd41e4592ec3d8a
- SHA512
  
  5438f3daa0d9a52a150968d4957d577fd71815481104555ce85184acd3c1c9a8849b555dd54925f8f7a269a326e03938319199953d676cea55eba8bd58511827
Score

10^/10

lokibot collection evasion rezer0 spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionrezer0spywarestealertrojan

behavioral2

lokibotcollectionevasionspywarestealertrojan

© 2018-2024

Terms | Privacy