lokibot | e3aaf36fee656a3135e01c1f9efb366a5449fb3e1dc0f1e1d1ced9d17a53d4ca | Triage

Sharing

General

Target

Sales Contract-204 -DWI INDAH.xls
Size

710KB
Sample

230113-gdjfpaef25
MD5

85479a0eddcf64c752682cdf8d0c4f14
SHA1

9f4949871b0670b96cd3dc8fa697da77f300eb5f
SHA256

e3aaf36fee656a3135e01c1f9efb366a5449fb3e1dc0f1e1d1ced9d17a53d4ca
SHA512

1f6c0d6426765ab399f00d8dd8cb05548b1822d4f2725a821dee333145e5888b21ec73f6dd209a8ec7384593674364618051147bd30820fed1cec6a4c698d89c
SSDEEP

12288:UP02NM0ry+1ov02NM0ry+1YqkhDkwJ1Wrh:9ZyBZyA9kwHEh

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/fresh2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Sales Contract-204 -DWI INDAH.xls
- Size
  
  710KB
- MD5
  
  85479a0eddcf64c752682cdf8d0c4f14
- SHA1
  
  9f4949871b0670b96cd3dc8fa697da77f300eb5f
- SHA256
  
  e3aaf36fee656a3135e01c1f9efb366a5449fb3e1dc0f1e1d1ced9d17a53d4ca
- SHA512
  
  1f6c0d6426765ab399f00d8dd8cb05548b1822d4f2725a821dee333145e5888b21ec73f6dd209a8ec7384593674364618051147bd30820fed1cec6a4c698d89c
- SSDEEP
  
  12288:UP02NM0ry+1ov02NM0ry+1YqkhDkwJ1Wrh:9ZyBZyA9kwHEh
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2