lokibot | cdca5bbacc8ca195d929b58cffa8b459ec3b585d60c0d41537e97b78b4f65916 | Triage

Submit
Reports

Overview

overview

Static

static

5

Purchase order.xls

windows7-x64

Purchase order.xls

windows10-2004-x64

1

Sharing

General

Target

Purchase order.xls
Size

1.0MB
Sample

230208-w9hatsec92
MD5

c017f228fc0c09dc33d9d4d0a243cc67
SHA1

f5504e64370bb5d8d70b4796a1d92ff3819f768c
SHA256

cdca5bbacc8ca195d929b58cffa8b459ec3b585d60c0d41537e97b78b4f65916
SHA512

bd3157f8a38b8559ea1a568d1ed1d7fbbc5d7e435e67dd265bdf16eef9ba891d1ae3ec6c4a8e72bde9e726f2a4133aeb87a984dfc47070c1586c79f8664207ab
SSDEEP

24576:ZFeuPHAEezjXUcvFeeL7tSCRRFYQ53pGDe5HX:rPPHO4cNNPICrqQ1pGDexX

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase order.xls

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase order.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Purchase order.xls
- Size
  
  1.0MB
- MD5
  
  c017f228fc0c09dc33d9d4d0a243cc67
- SHA1
  
  f5504e64370bb5d8d70b4796a1d92ff3819f768c
- SHA256
  
  cdca5bbacc8ca195d929b58cffa8b459ec3b585d60c0d41537e97b78b4f65916
- SHA512
  
  bd3157f8a38b8559ea1a568d1ed1d7fbbc5d7e435e67dd265bdf16eef9ba891d1ae3ec6c4a8e72bde9e726f2a4133aeb87a984dfc47070c1586c79f8664207ab
- SSDEEP
  
  24576:ZFeuPHAEezjXUcvFeeL7tSCRRFYQ53pGDe5HX:rPPHO4cNNPICrqQ1pGDexX
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy