lokibot | 39768453c17afce045164d39f94da00f2e7278130702d41812924bd9c2c3a82a | Triage

Submit
Reports

Overview

overview

Static

static

1

packing li...ce.rtf

windows7-x64

packing li...ce.rtf

windows10-2004-x64

1

Sharing

General

Target

packing list invoice.doc
Size

41KB
Sample

230207-kdlgtsae24
MD5

28c91c3972300ec87144051e544ed45e
SHA1

0b3c7fa689cc170eb46d6403c4e4f832646b9280
SHA256

39768453c17afce045164d39f94da00f2e7278130702d41812924bd9c2c3a82a
SHA512

214831419b83a4820b1334eb3da2443a4a0fac02f50c17c9db08510f06be57a7a18b761de9fc117c3c7ef579655ff57438ae48aaa69fd971f2299cd7916eeb72
SSDEEP

768:cFx0XaIsnPRIa4fwJMeOwtqisMbMU9YjR7/FAIBixw0dp821Dhoqg71:cf0Xvx3EM/YTCV/FTBixwOpnoqgR

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

packing list invoice.rtf

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

packing list invoice.rtf

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/cody/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  packing list invoice.doc
- Size
  
  41KB
- MD5
  
  28c91c3972300ec87144051e544ed45e
- SHA1
  
  0b3c7fa689cc170eb46d6403c4e4f832646b9280
- SHA256
  
  39768453c17afce045164d39f94da00f2e7278130702d41812924bd9c2c3a82a
- SHA512
  
  214831419b83a4820b1334eb3da2443a4a0fac02f50c17c9db08510f06be57a7a18b761de9fc117c3c7ef579655ff57438ae48aaa69fd971f2299cd7916eeb72
- SSDEEP
  
  768:cFx0XaIsnPRIa4fwJMeOwtqisMbMU9YjR7/FAIBixw0dp821Dhoqg71:cf0Xvx3EM/YTCV/FTBixwOpnoqgR
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy