lokibot | ee87371ff74c24235fb99de41971f23185587ee25030fe4abf0a6142101cfb6e | Triage

Submit
Reports

Overview

overview

Static

static

0011INV-PB...22.xls

windows7-x64

0011INV-PB...22.xls

windows10-2004-x64

1

Sharing

General

Target

0011INV-PBS-BPPXI22.xls
Size

1.2MB
Sample

230116-vqtzvaec31
MD5

33a75ae52baa059c946ce63343977318
SHA1

3f9a8c9b845e25c823236f55e803261611b7ada1
SHA256

ee87371ff74c24235fb99de41971f23185587ee25030fe4abf0a6142101cfb6e
SHA512

3dfff19d8d8eb90400773272e7e40095b299b8040e9f3b324a26e176f01929a934ce049c48544a268fa1418a8878f0863e888e69e0e9e3c8c5f7d43e2fe21c33
SSDEEP

24576:YZyg5mMZyu1m35QsTYh2TDXXXXXXXXXXXXUXXXXXXXXXX7XXXXXCK8VIvsSXOJv6:KbQDTXK8xSeJvb

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

0011INV-PBS-BPPXI22.xls

Resource

win7-20220812-en

lokibot collection spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

0011INV-PBS-BPPXI22.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  0011INV-PBS-BPPXI22.xls
- Size
  
  1.2MB
- MD5
  
  33a75ae52baa059c946ce63343977318
- SHA1
  
  3f9a8c9b845e25c823236f55e803261611b7ada1
- SHA256
  
  ee87371ff74c24235fb99de41971f23185587ee25030fe4abf0a6142101cfb6e
- SHA512
  
  3dfff19d8d8eb90400773272e7e40095b299b8040e9f3b324a26e176f01929a934ce049c48544a268fa1418a8878f0863e888e69e0e9e3c8c5f7d43e2fe21c33
- SSDEEP
  
  24576:YZyg5mMZyu1m35QsTYh2TDXXXXXXXXXXXXUXXXXXXXXXX7XXXXXCK8VIvsSXOJv6:KbQDTXK8xSeJvb
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy