lokibot | 4eb2e88f3fff8c16d572b663f0a308d1d988860279b4f4120e67b7c2e5c3ebb4 | Triage

Submit
Reports

Overview

overview

Static

static

Request fo...s.xlsx

windows7-x64

Request fo...s.xlsx

windows10-2004-x64

1

Resubmissions

14-10-2022 11:17

221014-nd22cschb4 8

04-10-2022 07:56

221004-jsn1tsacc4 10

Sharing

General

Target

Request for Quotations.xlsx
Size

224KB
Sample

221004-jsn1tsacc4
MD5

1ecd5677bdbe462913c9f86083691a68
SHA1

e415a9e760777635000b0fff2fccdc606f3eea1d
SHA256

4eb2e88f3fff8c16d572b663f0a308d1d988860279b4f4120e67b7c2e5c3ebb4
SHA512

333636fc4eaa9721079b0579de4c920ad44fe02df9468d397d5bc8064e0249388f29efa4369f405947c817e929a5a179cc709ee785facd64b1a164ffd344844d
SSDEEP

6144:+ojGA57x8tQFb7mepx2qMPojnE617Mfpx3oH:nd8Wl5jR6AzZKf4

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Request for Quotations.xlsx

Resource

win7-20220901-en

lokibot collection spyware stealer trojan

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Request for Quotations.xlsx

Resource

win10v2004-20220901-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://162.0.223.13/?OpqycIYJoIxPvNI7mSRvpEdWbvlzd7L2wbAJUztih08MOR

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Request for Quotations.xlsx
- Size
  
  224KB
- MD5
  
  1ecd5677bdbe462913c9f86083691a68
- SHA1
  
  e415a9e760777635000b0fff2fccdc606f3eea1d
- SHA256
  
  4eb2e88f3fff8c16d572b663f0a308d1d988860279b4f4120e67b7c2e5c3ebb4
- SHA512
  
  333636fc4eaa9721079b0579de4c920ad44fe02df9468d397d5bc8064e0249388f29efa4369f405947c817e929a5a179cc709ee785facd64b1a164ffd344844d
- SSDEEP
  
  6144:+ojGA57x8tQFb7mepx2qMPojnE617Mfpx3oH:nd8Wl5jR6AzZKf4
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Exploitation for Client Execution

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy