lokibot | b68dd5b95d999bbbe68fe4a254a5cfa07c56facddc3641a366ad24488a6a7801 | Triage

Submit
Reports

Overview

overview

Static

static

5

DHL 7214306201.xls

windows7-x64

DHL 7214306201.xls

windows10-2004-x64

1

Sharing

General

Target

DHL 7214306201.xls
Size

1.2MB
Sample

230130-nzl72abh2w
MD5

b617a312bf6377f84c5bb996602ad326
SHA1

e73a2817b786dd73873232e1c5d87d48053b04bd
SHA256

b68dd5b95d999bbbe68fe4a254a5cfa07c56facddc3641a366ad24488a6a7801
SHA512

e515fd7347308244c26ae4bead853cfc3e64b0682f326c923a7359dfd7a0e48490fd68b0341cb55da98030f6e16a0712e9eebb53e35ca7ddb1902a0822064ff4
SSDEEP

24576:GLKMZyOZy8LKNZyeZyMQ8ToW0cwmnAoNa:GLK+5zLK3hNjTVwmPN

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

DHL 7214306201.xls

Resource

win7-20220812-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

DHL 7214306201.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/line/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  DHL 7214306201.xls
- Size
  
  1.2MB
- MD5
  
  b617a312bf6377f84c5bb996602ad326
- SHA1
  
  e73a2817b786dd73873232e1c5d87d48053b04bd
- SHA256
  
  b68dd5b95d999bbbe68fe4a254a5cfa07c56facddc3641a366ad24488a6a7801
- SHA512
  
  e515fd7347308244c26ae4bead853cfc3e64b0682f326c923a7359dfd7a0e48490fd68b0341cb55da98030f6e16a0712e9eebb53e35ca7ddb1902a0822064ff4
- SSDEEP
  
  24576:GLKMZyOZy8LKNZyeZyMQ8ToW0cwmnAoNa:GLK+5zLK3hNjTVwmPN
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy