lokibot | 67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7 | Triage

Sharing

General

Target

67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
Size

2.0MB
Sample

230129-t6md9sfd2v
MD5

2515bd45c12e30be94ed6790c9c892ab
SHA1

5ba8d18b0b74fc5bb3745ee07a464bffc79768fb
SHA256

67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
SHA512

3d9aa7c447c238b3bc8aca33c520b312847ecc5d4f7c45dd18faa2cedaf07d16c00d5366b4acb96da383c078e3a2e7ac598bdbd11bb9a988919e94c1f4cd6a25
SSDEEP

49152:+kItzT0ey1C0bvSMn1v/Mr2WMkxoVypXzZoLwM86YsrTi:2tzTVMC5M13kUkoEM81Ou

Score

10^/10

lokibot collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.46.222.135/lewy/lewy/sun/best/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
- Size
  
  2.0MB
- MD5
  
  2515bd45c12e30be94ed6790c9c892ab
- SHA1
  
  5ba8d18b0b74fc5bb3745ee07a464bffc79768fb
- SHA256
  
  67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
- SHA512
  
  3d9aa7c447c238b3bc8aca33c520b312847ecc5d4f7c45dd18faa2cedaf07d16c00d5366b4acb96da383c078e3a2e7ac598bdbd11bb9a988919e94c1f4cd6a25
- SSDEEP
  
  49152:+kItzT0ey1C0bvSMn1v/Mr2WMkxoVypXzZoLwM86YsrTi:2tzTVMC5M13kUkoEM81Ou
Score

10^/10

lokibot collection evasion persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionpersistencespywarestealertrojan

behavioral2

lokibotcollectionevasionpersistencespywarestealertrojan