lokibot | ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead | Triage

Submit
Reports

Overview

overview

Static

static

ProductDet...38.exe

windows7-x64

ProductDet...38.exe

windows10-2004-x64

Sharing

General

Target

ProductDetails21638.exe
Size

1.4MB
Sample

221005-hmgtwsdgfr
MD5

e8443af1626f6ccdff4e82cfd293f232
SHA1

9b6a9922c4f1475bf9bf1dd2f71f88905e4a8d90
SHA256

ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead
SHA512

0e8d74490b486320fc3ad65e1f10af78a8da7d83170f0b79b8f9b56a74707ea920599467212886acdf09d3e61b805c7e3468ef96ad052b4adbd9706a55b53d62
SSDEEP

12288:xnjoVnNCBllTDonWZQzjFeM6DJOjB9sTTHyaTE78+agEWflDY8xulEV0VrB2dfb1:UNclQnYQb6VOWQ77agEilDrxulEVQkp

Score

10^/10

lokibot wshrat collection persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ProductDetails21638.exe

Resource

win7-20220901-en

lokibot wshrat collection persistence spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

ProductDetails21638.exe

Resource

win10v2004-20220812-en

lokibot wshrat collection persistence spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://45.155.165.70/se8se/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

wshrat

C2

http://rze6.sytes.net:4000

Targets

- Target
  
  ProductDetails21638.exe
- Size
  
  1.4MB
- MD5
  
  e8443af1626f6ccdff4e82cfd293f232
- SHA1
  
  9b6a9922c4f1475bf9bf1dd2f71f88905e4a8d90
- SHA256
  
  ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead
- SHA512
  
  0e8d74490b486320fc3ad65e1f10af78a8da7d83170f0b79b8f9b56a74707ea920599467212886acdf09d3e61b805c7e3468ef96ad052b4adbd9706a55b53d62
- SSDEEP
  
  12288:xnjoVnNCBllTDonWZQzjFeM6DJOjB9sTTHyaTE78+agEWflDY8xulEV0VrB2dfb1:UNclQnYQb6VOWQ77agEilDrxulEVQkp
Score

10^/10

lokibot wshrat collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotwshratcollectionpersistencespywarestealertrojan

behavioral2

lokibotwshratcollectionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy