lokibot

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.655.18953
Size

554KB
Sample

220704-e66etagfg8
MD5

b5f7d65b946de5b3aba05e6438cb1e8f
SHA1

f93a8d3e17563203fdf5d15a678c08579cc54451
SHA256

a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
SHA512

6cae6bbc121e36eca3b2c7ada32c94d29773cec912e86aeeb517ebe07a2375a8ad71fccd6c7b046a3c50718d50b10487df6c14065c3287321ad03cb025a64433

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=22289002125658625

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SecuriteInfo.com.W32.AIDetectNet.01.655.18953
- Size
  
  554KB
- MD5
  
  b5f7d65b946de5b3aba05e6438cb1e8f
- SHA1
  
  f93a8d3e17563203fdf5d15a678c08579cc54451
- SHA256
  
  a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
- SHA512
  
  6cae6bbc121e36eca3b2c7ada32c94d29773cec912e86aeeb517ebe07a2375a8ad71fccd6c7b046a3c50718d50b10487df6c14065c3287321ad03cb025a64433
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2