lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

A4720720343174B26e4fc2ee6.txt
Size

1.1MB
Sample

220623-relybadchl
MD5

ead84dcd355536a9832b9c3cd69f919c
SHA1

8bd1201ac58457b9bdfbb1e10a3d79b7cc2ec47d
SHA256

80598001b726905261ebb25a9f1f96ab1c8e7c5dbaf99f6e3d61f70d064f84c5
SHA512

05494b4d5e4a0ed2b808b23839826ad4796abb8d68800ceceba5e6b7df1e0b5302c435ef567d59e9e74a15a0aedbf2fc81bfb94f10e2b800e13ffc5152d6ab6f

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://ttloki.us/xz/ee/ttf.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Informe bancario.pdf.gz
- Size
  
  388KB
- MD5
  
  8c84924db5670f38b9d270f4ec43eda5
- SHA1
  
  0c88305be01d9036553fde598dda746965b62b9a
- SHA256
  
  912ceaef85fccb2357c7cadb5437afcd8dbff37dab20e1cc22cfdd4c9f6c3f15
- SHA512
  
  97bbd5e054336a26d5619666bf480a1f7e0a619bc639028f64395d4036e6a3ee3fe57b4484f57967dfe679986cdfb7f3c085c7d3da1886dd80b23ae51dc65b40
Score

3^/10
behavioral1 behavioral2 behavioral8 behavioral10
- Target
  
  Informe bancario.pdf.exe
- Size
  
  482KB
- MD5
  
  bf9c7d63f5116beb0922a01e7ff7012f
- SHA1
  
  8ef308edcfa79dfba17b92cbf6752f85e4a4f1d3
- SHA256
  
  8dbc2d3e85cc4d818fd9b3920138660701df08208b3659f08ac39fd57a06afbe
- SHA512
  
  55655927201555a03e8d69eed43d71ecf8496a557554eb45d2153811ba3bc5f00ccefa9ecb4d8262219e0764b74385332a06b583e0dac68728ca2f7742d9d143
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Fake 404 Response
  suricata: ET MALWARE LokiBot Fake 404 Response
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  email-html-2.txt
- Size
  
  5KB
- MD5
  
  9175a3706297a21a7b7eda3a5098bc52
- SHA1
  
  e9546b80e31f47696ba739ada8f45db499cf1e49
- SHA256
  
  4c334235b528011136ac59cb0340493e88dc8f9f4e599ec54c0a6920d2323191
- SHA512
  
  d1b21cff1d4705fdb5cc732e46cd0504d60a9d11714c2191e20d02122ae35e54ffd922dac05cdcb28f9af01db422b1beda9f392b5eb7e888b4c19d404c458e28
Score

1^/10
behavioral5 behavioral6
- Target
  
  email-plain-1.txt
- Size
  
  321B
- MD5
  
  6d48994df23abf907786633d70702763
- SHA1
  
  4f37585911c10742f0add4ca6538e2cc16e7c48b
- SHA256
  
  22fa0af7cf49d8820ac3d0e1e929034b5c0101e96c33c07d015c5ea3bc36af19
- SHA512
  
  a07f91b6e70d57a164b917fd94c0a84bfc012dc43275bb9fbdd4b7d3ffb8cf6bad3aabe180df5f24b1456c38846c442c36af7e7ab4467d8631b3663fc4375b76
Score

1^/10
behavioral7
- Target
  
  transferencia de pago.pdf.gz
- Size
  
  388KB
- MD5
  
  74ee04c65f550fb029dc72d8bda1cb6b
- SHA1
  
  f8d7cb8b50e8ebfeb80790dfe186d2c2bef01c32
- SHA256
  
  3b947a32adf0b93db57132213fd2380683631d2e403e9aa9b06c405a17137ac2
- SHA512
  
  9b2db966c9735ffd75dbd99de437542fcf7f562e802aa58bae8b4719da64231f7a57b1675ceaf2af526e7b1121749f73212b6fd86201ccbe2f2cafb7dfa65578
Score

3^/10
behavioral9

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10