lokibot | 188c29dc39bcf0f5dea8950ae2aebfbaa9efcbbc8ac2e7a5fcffabc9d4fcd99c | Triage

Submit
Reports

Overview

overview

Static

static

Shipping D...ts.xls

windows7-x64

Shipping D...ts.xls

windows10-2004-x64

1

Sharing

General

Target

Shipping Documents.xls
Size

745KB
Sample

221123-qxzrfsfb34
MD5

36dbbe387ce3851bc3aa42ed8dc48a8d
SHA1

dce1e73be53660393244455de8b630b214df847a
SHA256

188c29dc39bcf0f5dea8950ae2aebfbaa9efcbbc8ac2e7a5fcffabc9d4fcd99c
SHA512

94bf48cf5edc675e83700d96ad7207335505eb7104edf43691cd3e891338df72d0a0da0e210f3777d2c4bf6202fa8e3e4d1c827559dca5e1d8749970f4c6e302
SSDEEP

12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWTmaqydNqrDx7XXXXXXXXXXXXUN:Cr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXy

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Shipping Documents.xls

Resource

win7-20220812-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Shipping Documents.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gm14/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Shipping Documents.xls
- Size
  
  745KB
- MD5
  
  36dbbe387ce3851bc3aa42ed8dc48a8d
- SHA1
  
  dce1e73be53660393244455de8b630b214df847a
- SHA256
  
  188c29dc39bcf0f5dea8950ae2aebfbaa9efcbbc8ac2e7a5fcffabc9d4fcd99c
- SHA512
  
  94bf48cf5edc675e83700d96ad7207335505eb7104edf43691cd3e891338df72d0a0da0e210f3777d2c4bf6202fa8e3e4d1c827559dca5e1d8749970f4c6e302
- SSDEEP
  
  12288:fdNqrDx7XXXXXXXXXXXXUXXXXXXXSXXXXXXXXWTmaqydNqrDx7XXXXXXXXXXXXUN:Cr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXy
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy