lokibot

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.5636.6173
Size

446KB
Sample

220725-c5aweabecr
MD5

df8bead35a67a92c618506dc716f4fc7
SHA1

30b9feec38333d0e3434533878c35ca41993a172
SHA256

8de2dce55136838fbe6c2ebad8addc2d2c2f552b9000933461560b834cd014f0
SHA512

7a948a60dabe7f838d895de02203f09dee31aa4db99be910b5cd151b3fb3504e117396a02786b5b1c72ee135b72dc2fe45b905c681750da3128fc1e7a2adf5b3

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://66.29.145.162/?upps6kY5iFClzLE15GzzT6o9K2EZ

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SecuriteInfo.com.W32.AIDetectNet.01.5636.6173
- Size
  
  446KB
- MD5
  
  df8bead35a67a92c618506dc716f4fc7
- SHA1
  
  30b9feec38333d0e3434533878c35ca41993a172
- SHA256
  
  8de2dce55136838fbe6c2ebad8addc2d2c2f552b9000933461560b834cd014f0
- SHA512
  
  7a948a60dabe7f838d895de02203f09dee31aa4db99be910b5cd151b3fb3504e117396a02786b5b1c72ee135b72dc2fe45b905c681750da3128fc1e7a2adf5b3
Score

10^/10

lokibot collection spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
  suricata
- suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
  suricata
- suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2