Overview

overview

10

Static

static

PO #1345625.exe

windows7_x64

10

PO #1345625.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO #1345625.cab

  • Size

    470KB

  • Sample

    220705-gzbb7sefap

  • MD5

    afb291543925d97799b679f4afb8ffdf

  • SHA1

    ccdae3de654028e4f1902693d0f180f4518e17f8

  • SHA256

    6c04b0b1be35bd08685239044e0f5cdae4a1f5ce82cb9dbeb5693852f363a4fd

  • SHA512

    a4a110ff3aa0b941b04be693aa0dc10b0e02d85c884118306b796125d0694a913c94855dce00d348747361b347ecb8cd743c09f3f1ce0659d0aab01b5c2640cc

Score
10/10
lokibotcollectionevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=19405398078735015

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      PO #1345625.exe

    • Size

      548KB

    • MD5

      efe66fc46c7ed7c585dd1bf9915df2ac

    • SHA1

      352d94d5831717ab9c19b39d3445348fc3a57542

    • SHA256

      954a256825128415a95701e7b17db186d487a86d4cbc1923d96b7f8591c8d696

    • SHA512

      eb582c5ba0a28b81fcbb8d586e23f6058d01277e9545fcb81bf42c357a908121c891f190586f87259f12aeb69f058711ad3c5f2c52e561724582700bc82b2588

    Score
    10/10
    lokibotcollectionevasionspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks