lokibot

General

Target

DHL_Receipt10106272873____________________________________________________________________________________________________________.bat
Size

1.1MB
Sample

220701-vkrmjaacbl
MD5

2f53deb379502fecd2a81113ffd835a6
SHA1

e160179ad42c2fad460b7b75070fa575672aff58
SHA256

c24aa19572a17632264c0af58695bea6a3fc8d0dccd12ba89f21dc481723b348
SHA512

11d6e0185131f4e9fd6952ad35077f7f6b2a29ed65372b552b5a86961204468f0c14cad083e549f5481ecb8d91f938db52ab43a7bb6d44cf2f2f3e1b922892d6

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gi5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  DHL_Receipt10106272873____________________________________________________________________________________________________________.bat
- Size
  
  1.1MB
- MD5
  
  2f53deb379502fecd2a81113ffd835a6
- SHA1
  
  e160179ad42c2fad460b7b75070fa575672aff58
- SHA256
  
  c24aa19572a17632264c0af58695bea6a3fc8d0dccd12ba89f21dc481723b348
- SHA512
  
  11d6e0185131f4e9fd6952ad35077f7f6b2a29ed65372b552b5a86961204468f0c14cad083e549f5481ecb8d91f938db52ab43a7bb6d44cf2f2f3e1b922892d6
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Fake 404 Response
  suricata: ET MALWARE LokiBot Fake 404 Response
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2