lokibot | c6f3fefc6331b5ff0eb910aea106eed3eda8dd01e0137333637b6297e7182923 | Triage

Submit
Reports

Overview

overview

Static

static

5

P.O #306078910.xls

windows7-x64

P.O #306078910.xls

windows10-2004-x64

1

Sharing

General

Target

P.O #306078910.xls
Size

1.2MB
Sample

230130-nxwcxsbg9x
MD5

890afc70ec7cae0f37bf4c76ee9159a3
SHA1

b3d0a77786bfc53d8feb3fdd7d1522c489d5a442
SHA256

c6f3fefc6331b5ff0eb910aea106eed3eda8dd01e0137333637b6297e7182923
SHA512

da2fcd0baa9c9a59cedd7ce2eaef7ffc22a6dfe647c0178f4d33bf7aa383b67193ffcb5f20fb7cbc859a75a19b7e7cb64a33ad1b22b0de2204a087a7b34fa3c1
SSDEEP

24576:7LKMZyOZy8LKNZyUZypQ8ToH0ctmnAoNj:7LK+5zLK3LYjTwtmPN

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

P.O #306078910.xls

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

P.O #306078910.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.148/china/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  P.O #306078910.xls
- Size
  
  1.2MB
- MD5
  
  890afc70ec7cae0f37bf4c76ee9159a3
- SHA1
  
  b3d0a77786bfc53d8feb3fdd7d1522c489d5a442
- SHA256
  
  c6f3fefc6331b5ff0eb910aea106eed3eda8dd01e0137333637b6297e7182923
- SHA512
  
  da2fcd0baa9c9a59cedd7ce2eaef7ffc22a6dfe647c0178f4d33bf7aa383b67193ffcb5f20fb7cbc859a75a19b7e7cb64a33ad1b22b0de2204a087a7b34fa3c1
- SSDEEP
  
  24576:7LKMZyOZy8LKNZyUZypQ8ToH0ctmnAoNj:7LK+5zLK3LYjTwtmPN
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy