lokibot | a230f0a094f4f90c0353688e60a8705b4396970de6fe34c9c62c077003529dc7 | Triage

Submit
Reports

Overview

overview

Static

static

A230F0A094...C7.xls

windows7-x64

A230F0A094...C7.xls

windows10-2004-x64

1

Sharing

General

Target

A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7
Size

393KB
Sample

221123-r2taxadb5s
MD5

9433034c2cfa6b182409561cc01173fe
SHA1

9026d31a8fbffb73ee642cf42479a71e982eb4bc
SHA256

a230f0a094f4f90c0353688e60a8705b4396970de6fe34c9c62c077003529dc7
SHA512

7e841ba908930f92d317243a6e710b4baf823bacc0dbfe4ecfb06a6a7a9a5dba2ce569e4eba71dafef985e75bba1bdea299607a835ccb24dc736107407915cd0
SSDEEP

12288:OdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYjTm7TmD9JIxWZaTtg/g6Rm:tr5XXXXXXXXXXXXUXXXXXXXrXXXXXXX2

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7.xls

Resource

win7-20220812-en

lokibot collection spyware stealer trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gk22/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  A230F0A094F4F90C0353688E60A8705B4396970DE6FE34C9C62C077003529DC7
- Size
  
  393KB
- MD5
  
  9433034c2cfa6b182409561cc01173fe
- SHA1
  
  9026d31a8fbffb73ee642cf42479a71e982eb4bc
- SHA256
  
  a230f0a094f4f90c0353688e60a8705b4396970de6fe34c9c62c077003529dc7
- SHA512
  
  7e841ba908930f92d317243a6e710b4baf823bacc0dbfe4ecfb06a6a7a9a5dba2ce569e4eba71dafef985e75bba1bdea299607a835ccb24dc736107407915cd0
- SSDEEP
  
  12288:OdNqrDx7XXXXXXXXXXXXUXXXXXXXrXXXXXXXXEmYjTm7TmD9JIxWZaTtg/g6Rm:tr5XXXXXXXXXXXXUXXXXXXXrXXXXXXX2
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy