lokibot

General

Target

Confirmation Notice20220707.xlsx
Size

177KB
Sample

220707-g5gfeagfe5
MD5

0e1816ea950c32c13609a509af6ab167
SHA1

e10c173749ecc7c2bf04a1462902b9d4d6aceed7
SHA256

399d46d4fcdde13baa7d007ff80124d6eed8f4620a0577df722c3bf027501c19
SHA512

38ef6c3be139a0f92a9564eb14af78c3126c46905e1c0ff95dd130523770ff67696de6fd145579f5cbd3fc3684333fbca9428e53410c57ab2971f9f2df6be61c

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://45.133.1.20/rostov2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://��Ѝ��Й��Й��я��

Targets

- Target
  
  Confirmation Notice20220707.xlsx
- Size
  
  177KB
- MD5
  
  0e1816ea950c32c13609a509af6ab167
- SHA1
  
  e10c173749ecc7c2bf04a1462902b9d4d6aceed7
- SHA256
  
  399d46d4fcdde13baa7d007ff80124d6eed8f4620a0577df722c3bf027501c19
- SHA512
  
  38ef6c3be139a0f92a9564eb14af78c3126c46905e1c0ff95dd130523770ff67696de6fd145579f5cbd3fc3684333fbca9428e53410c57ab2971f9f2df6be61c
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Checkin
  suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot Fake 404 Response
  suricata: ET MALWARE LokiBot Fake 404 Response
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2