lokibot | 36b62272406ef548125819792b88045abbe14f58a2c439ac2b5aa993278a46c2 | Triage

Sharing

General

Target

36b62272406ef548125819792b88045abbe14f58a2c439ac2b5aa993278a46c2
Size

820KB
Sample

230129-zazbvadf51
MD5

d8100d0e58094f445dd5b30ed652acac
SHA1

42b473c4dd81085ff403e184d62dbef37229cfc7
SHA256

36b62272406ef548125819792b88045abbe14f58a2c439ac2b5aa993278a46c2
SHA512

b726a9ff9b6cced2c6522c5155bb457ead17d3e8610aae83ef3f0de48ee98664bc421b490e037a7f2ed4f8a3c8f52059f6b3dc584577564cf2a044302b5a0836
SSDEEP

12288:GBs4YVakkUOm8EkTPQxvvDh6f1NpQansFQSs0Y723A654wYkPPt:GNm8EaPlTq1Fk03Q6PYw

Score

10^/10

lokibot collection evasion spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://spunkyiopkslookup.ddns.net/IjfOlJFP/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  36b62272406ef548125819792b88045abbe14f58a2c439ac2b5aa993278a46c2
- Size
  
  820KB
- MD5
  
  d8100d0e58094f445dd5b30ed652acac
- SHA1
  
  42b473c4dd81085ff403e184d62dbef37229cfc7
- SHA256
  
  36b62272406ef548125819792b88045abbe14f58a2c439ac2b5aa993278a46c2
- SHA512
  
  b726a9ff9b6cced2c6522c5155bb457ead17d3e8610aae83ef3f0de48ee98664bc421b490e037a7f2ed4f8a3c8f52059f6b3dc584577564cf2a044302b5a0836
- SSDEEP
  
  12288:GBs4YVakkUOm8EkTPQxvvDh6f1NpQansFQSs0Y723A654wYkPPt:GNm8EaPlTq1Fk03Q6PYw
Score

10^/10

lokibot collection evasion spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionspywarestealertrojan

behavioral2

lokibotcollectionevasionspywarestealertrojan