Overview

overview

10

Static

static

PO #1345625.exe

windows7_x64

10

PO #1345625.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO #1345625.exe

  • Size

    548KB

  • Sample

    220704-pswzbsbce9

  • MD5

    efe66fc46c7ed7c585dd1bf9915df2ac

  • SHA1

    352d94d5831717ab9c19b39d3445348fc3a57542

  • SHA256

    954a256825128415a95701e7b17db186d487a86d4cbc1923d96b7f8591c8d696

  • SHA512

    eb582c5ba0a28b81fcbb8d586e23f6058d01277e9545fcb81bf42c357a908121c891f190586f87259f12aeb69f058711ad3c5f2c52e561724582700bc82b2588

Score
10/10
lokibotcollectionevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=19405398078735015

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PO #1345625.exe

    • Size

      548KB

    • MD5

      efe66fc46c7ed7c585dd1bf9915df2ac

    • SHA1

      352d94d5831717ab9c19b39d3445348fc3a57542

    • SHA256

      954a256825128415a95701e7b17db186d487a86d4cbc1923d96b7f8591c8d696

    • SHA512

      eb582c5ba0a28b81fcbb8d586e23f6058d01277e9545fcb81bf42c357a908121c891f190586f87259f12aeb69f058711ad3c5f2c52e561724582700bc82b2588

    Score
    10/10
    lokibotcollectionevasionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks