lokibot | b33866bbebdcdc098574d2919d7b2bbeecf6053d22c596f552004deaa6f7b8b5 | Triage

Sharing

General

Target

Payment copy.xls
Size

536KB
Sample

221107-nhscqafgfl
MD5

2bb06f6289571f2705992371f58c8249
SHA1

b7de786cc88654c5c99cbdedd63b5adb634d5ed6
SHA256

b33866bbebdcdc098574d2919d7b2bbeecf6053d22c596f552004deaa6f7b8b5
SHA512

653a52fb27007993eca80449be08c5a39e8caf65d2b9ce6dac6e905f6aae2725a0d5086a6dc0a05105141501ba199880d2938445de006dfbdcf8b6a5fa276486
SSDEEP

12288:TdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYQTmDTmflZdLAxTBcwY68IosZ:Or5XXXXXXXXXXXXUXXXXXXXrXXXXXXXi

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gl16/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Payment copy.xls
- Size
  
  536KB
- MD5
  
  2bb06f6289571f2705992371f58c8249
- SHA1
  
  b7de786cc88654c5c99cbdedd63b5adb634d5ed6
- SHA256
  
  b33866bbebdcdc098574d2919d7b2bbeecf6053d22c596f552004deaa6f7b8b5
- SHA512
  
  653a52fb27007993eca80449be08c5a39e8caf65d2b9ce6dac6e905f6aae2725a0d5086a6dc0a05105141501ba199880d2938445de006dfbdcf8b6a5fa276486
- SSDEEP
  
  12288:TdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYQTmDTmflZdLAxTBcwY68IosZ:Or5XXXXXXXXXXXXUXXXXXXXrXXXXXXXi
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2