lokibot | 45379843244b5168239ab555c30f898bc61eed5753fab08fe6e04d4ece3eed41 | Triage

Sharing

General

Target

45379843244b5168239ab555c30f898bc61eed5753fab08fe6e04d4ece3eed41
Size

481KB
Sample

220707-t23kpadbg2
MD5

3f9c33cb8f78d31b23d5013eb1a7fb2b
SHA1

55d6c089de471a641fe86023565bca1a79a12238
SHA256

45379843244b5168239ab555c30f898bc61eed5753fab08fe6e04d4ece3eed41
SHA512

29ca30565421647aaf5d94f250617f67baea0c80f46e59502c685714836918cf727e7ef79d1342f78d39054338fb3f5e16db64b098df86c8bb2b5c80c7956b39

Score

10^/10

lokibot persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://kings.jesseworld.eu/five/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  45379843244b5168239ab555c30f898bc61eed5753fab08fe6e04d4ece3eed41
- Size
  
  481KB
- MD5
  
  3f9c33cb8f78d31b23d5013eb1a7fb2b
- SHA1
  
  55d6c089de471a641fe86023565bca1a79a12238
- SHA256
  
  45379843244b5168239ab555c30f898bc61eed5753fab08fe6e04d4ece3eed41
- SHA512
  
  29ca30565421647aaf5d94f250617f67baea0c80f46e59502c685714836918cf727e7ef79d1342f78d39054338fb3f5e16db64b098df86c8bb2b5c80c7956b39
Score

10^/10

lokibot persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotpersistencespywarestealertrojan

behavioral2

lokibotpersistencespywarestealertrojan