lokibot | a4d30f60d3bcee2bdbb9c5bba47f83b186efce182f3108f9e6ca0a6a09a1f2bc | Triage

Submit
Reports

Overview

overview

Static

static

purchase i...33.exe

windows7-x64

1

purchase i...33.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

purchase inquiry(Schmersal) AS894 - HU633.img
Size

70KB
Sample

221101-gqkvaagfd5
MD5

61238f7fcdeabbaa8f5028c9322621fe
SHA1

7a0328bbd496e1c994876195e68d591454e98172
SHA256

a4d30f60d3bcee2bdbb9c5bba47f83b186efce182f3108f9e6ca0a6a09a1f2bc
SHA512

2208e250748a416722bfe1a033d3b27976783ed9c09c25137b1859514448d4ae6facfd1e79f86c19a5f7fde6de57153facddfc7b2fa7b3b6f8e5fa4ebef0fcd2
SSDEEP

192:YTEynR4X1K+N8ROIGpYpyeDyPC8stYcFmVc03KY:I1R4XPyROIxqPCptYcFmVc03K

Score

10^/10

lokibot remcos remotehost collection persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

purchase inquiry(Schmersal) AS894 - HU633.exe

Resource

win7-20220812-en

windows7-x64

1 signatures

150 seconds

Behavioral task

behavioral2

Sample

purchase inquiry(Schmersal) AS894 - HU633.exe

Resource

win10v2004-20220812-en

lokibot remcos remotehost collection persistence rat spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

obologs.work.gd:4044

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GPG7FU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lokibot

C2

http://63.250.44.84/cpanel.php?id=7142923716380768932330405157671485688969698674568701752368135274833639699

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  purchase inquiry(Schmersal) AS894 - HU633.exe
- Size
  
  9KB
- MD5
  
  2f9cbfad6b863d1f2fab79ded5c6d178
- SHA1
  
  c28bc742ecd706dfec4713d992c411d067900ca5
- SHA256
  
  6d5486d773d521ca26d1e092dc07f044ab75d0fa303780ef2216b443c1897c93
- SHA512
  
  d3ea48e143c6aa6303776866295fe37c640ba9d0a76d7e14d1f3e4caa115233a373dac90be7ca82ebc40382f103c7a55780c7c78c7375533d1eacc8685a337a9
- SSDEEP
  
  192:f4X1K+N8ROIGpYpyeDyPC8stYcFmVc03KY:f4XPyROIxqPCptYcFmVc03K
Score

10^/10

lokibot remcos remotehost collection persistence rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lokibotremcosremotehostcollectionpersistenceratspywarestealertrojan

© 2018-2025

Terms | Privacy