lokibot | 6d60dd648580a7f4c65e6b7e695b1599aa696479fbe04867c78399f0ebf1feda | Triage

Submit
Reports

Overview

overview

Static

static

5

payment receipt.xls

windows7-x64

payment receipt.xls

windows10-2004-x64

1

Sharing

General

Target

payment receipt.xls
Size

1.1MB
Sample

230123-xe8pzaeg36
MD5

53a4e7a639e3bf137e774f213999bfd9
SHA1

2dea7560d48680d0cdbd5ec281a10d0daaf73e72
SHA256

6d60dd648580a7f4c65e6b7e695b1599aa696479fbe04867c78399f0ebf1feda
SHA512

5f9adf281c805549d542baf5bbd10bb992417e3f9a4f8e0743c2da93a819c21c556de1f3fdbaf7fcef348e670b60ab1f30b605904938b2ae3c1d672fb2450372
SSDEEP

24576:9Wm7+m7bZXXXXXXXXXXXXUXXXXXXXXXXXXXXrX5:

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

payment receipt.xls

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

payment receipt.xls

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  payment receipt.xls
- Size
  
  1.1MB
- MD5
  
  53a4e7a639e3bf137e774f213999bfd9
- SHA1
  
  2dea7560d48680d0cdbd5ec281a10d0daaf73e72
- SHA256
  
  6d60dd648580a7f4c65e6b7e695b1599aa696479fbe04867c78399f0ebf1feda
- SHA512
  
  5f9adf281c805549d542baf5bbd10bb992417e3f9a4f8e0743c2da93a819c21c556de1f3fdbaf7fcef348e670b60ab1f30b605904938b2ae3c1d672fb2450372
- SSDEEP
  
  24576:9Wm7+m7bZXXXXXXXXXXXXUXXXXXXXXXXXXXXrX5:
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy