lokibot

General

Target

Desktop.zip
Size

1.1MB
Sample

230113-tzee3seb7x
MD5

663008cb1ea78a429f85efd4bb0a4dac
SHA1

604f1158d9205cc668871a59fc91d572d49fb1ff
SHA256

8efcbeb19ddae032066166dd5831354b38e5bdf2498049565ffaf8eee97caebc
SHA512

3bddae6dad8aa3ec5d91f9e27aeebe50b0726dac3e9814be3a9301182005f660aa195745d06f659197c2562ccbbdfa680fd8c1e9b0850ac69f2703b3bc3d004e
SSDEEP

24576:HKs1tk0v0BgFAWw+NxMNvfc8/QQdLDkZDtB/ijstfBxZ0YbkioU5KO:qpcyV+2c8/QA3eDtgjstfnu1LU5KO

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/fresh2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  PO-204 -DWI INDAH.xls
- Size
  
  883KB
- MD5
  
  c2d963dd959c1634e35bc1ccc1292174
- SHA1
  
  15f2175cf6d237480b695097822186077fa6c7d2
- SHA256
  
  e89082a08c246ba8e4bffb9ddb127a2ee24cef652e4b0a8772ad22d376a82eb7
- SHA512
  
  3064dddda5a9b17a62977fc480bd82b53950ca0a5409aabd5373f2b0267928a438369b036a08c1e9ff41a75f70d38674c6882f68d1fed1ce43aef243ea4695e2
- SSDEEP
  
  24576:9dptvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXX1UdptvdXXXXXXXXXXXXUXXXXXXXXP:3plpcFVz
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Sales Contract-204 -DWI INDAH.xls
- Size
  
  710KB
- MD5
  
  85479a0eddcf64c752682cdf8d0c4f14
- SHA1
  
  9f4949871b0670b96cd3dc8fa697da77f300eb5f
- SHA256
  
  e3aaf36fee656a3135e01c1f9efb366a5449fb3e1dc0f1e1d1ced9d17a53d4ca
- SHA512
  
  1f6c0d6426765ab399f00d8dd8cb05548b1822d4f2725a821dee333145e5888b21ec73f6dd209a8ec7384593674364618051147bd30820fed1cec6a4c698d89c
- SSDEEP
  
  12288:UP02NM0ry+1ov02NM0ry+1YqkhDkwJ1Wrh:9ZyBZyA9kwHEh
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4