lokibot | b9ef91015d894ef785bbba54bd741d73866c7b5a4583ec87c470d748399f9ffd | Triage

Submit
Reports

Overview

overview

Static

static

SWIFT Tran...81.rtf

windows7-x64

SWIFT Tran...81.rtf

windows10-2004-x64

1

Sharing

General

Target

SWIFT Transfer 103 LD9081.doc
Size

28KB
Sample

230124-s6gncaea4x
MD5

b46e00e44324f90a797dae714a4cc7d4
SHA1

358154f88d48d0b09a1a0b2dd1b01c1d24c61642
SHA256

b9ef91015d894ef785bbba54bd741d73866c7b5a4583ec87c470d748399f9ffd
SHA512

414119d0b1c75813eb7da3c3a50ad703e992635ae7680a7b274fd794019e53bb762af9a0924ac92ce4bd5b28528d06c644eb7ac947880db500c2988b59cec1a1
SSDEEP

768:VFx0XaIsnPRIa4fwJMCpDxpcQ2pxSGB/qd1CJs:Vf0Xvx3EMCGQyxoq+

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SWIFT Transfer 103 LD9081.rtf

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

SWIFT Transfer 103 LD9081.rtf

Resource

win10v2004-20220901-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/cody/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SWIFT Transfer 103 LD9081.doc
- Size
  
  28KB
- MD5
  
  b46e00e44324f90a797dae714a4cc7d4
- SHA1
  
  358154f88d48d0b09a1a0b2dd1b01c1d24c61642
- SHA256
  
  b9ef91015d894ef785bbba54bd741d73866c7b5a4583ec87c470d748399f9ffd
- SHA512
  
  414119d0b1c75813eb7da3c3a50ad703e992635ae7680a7b274fd794019e53bb762af9a0924ac92ce4bd5b28528d06c644eb7ac947880db500c2988b59cec1a1
- SSDEEP
  
  768:VFx0XaIsnPRIa4fwJMCpDxpcQ2pxSGB/qd1CJs:Vf0Xvx3EMCGQyxoq+
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy