lokibot | 64629388f660c5b68375082dfbd9aedb1fd86c7aed1db141a6102bbf5d6f8188 | Triage

Submit
Reports

Overview

overview

Static

static

5

cf2188ba-2...66.xls

windows7-x64

cf2188ba-2...66.xls

windows10-2004-x64

1

Sharing

General

Target

cf2188ba-2823-4a96-b207-0a7577aea266.xls
Size

185KB
Sample

230122-d9axmsgh6y
MD5

4c47656c02c88cdec7e454b7566750a3
SHA1

efc679a688d27742226754433c026fa9c6a59b12
SHA256

64629388f660c5b68375082dfbd9aedb1fd86c7aed1db141a6102bbf5d6f8188
SHA512

774f9b4c9176d618c6e95c71ace7c4412e1afb63f4970f0416ed135bacbb6a346f14b28a9d2155854b0db0aaaafac5c8aa7104a8a6da25bdae820c67ecff092c
SSDEEP

3072:Ft9hc1Ut9hcu/fZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAiv8FsutHrnvZA9AOUde:Lc1+cunZ+RwPONXoRjDhIcp0fDlavx+5

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cf2188ba-2823-4a96-b207-0a7577aea266.xls

Resource

win7-20220812-en

lokibot collection spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

cf2188ba-2823-4a96-b207-0a7577aea266.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  cf2188ba-2823-4a96-b207-0a7577aea266.xls
- Size
  
  185KB
- MD5
  
  4c47656c02c88cdec7e454b7566750a3
- SHA1
  
  efc679a688d27742226754433c026fa9c6a59b12
- SHA256
  
  64629388f660c5b68375082dfbd9aedb1fd86c7aed1db141a6102bbf5d6f8188
- SHA512
  
  774f9b4c9176d618c6e95c71ace7c4412e1afb63f4970f0416ed135bacbb6a346f14b28a9d2155854b0db0aaaafac5c8aa7104a8a6da25bdae820c67ecff092c
- SSDEEP
  
  3072:Ft9hc1Ut9hcu/fZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAiv8FsutHrnvZA9AOUde:Lc1+cunZ+RwPONXoRjDhIcp0fDlavx+5
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy