lokibot | 83b5e2491136b593198de29997b791e88e7d5a3e6472caae44902191e6266e52 | Triage

Submit
Reports

Overview

overview

Static

static

5

REMITTANCE...1].xls

windows7-x64

REMITTANCE...1].xls

windows10-2004-x64

1

Sharing

General

Target

REMITTANCE ADVICE [REF0000360261].xls
Size

1.0MB
Sample

230209-aake9abe56
MD5

9440bad2a57747bf88aa508e26485ddc
SHA1

a3242607f6570536eafda3b6f4d3f30da560e2f5
SHA256

83b5e2491136b593198de29997b791e88e7d5a3e6472caae44902191e6266e52
SHA512

1fd31386fad6eedbffe869a05552741a9bacbb237e8ca5e66b8c309320011925fc7a7ec57cf27df38b3d3535e8ca3e8e85510d262605c104166f57dac8dd79ce
SSDEEP

24576:bFefqLFRIcBFe3MdGoo5ncQVSyjAcZDek:5lpzGEtQV9fll

Score

10^/10

lokibot collection macro spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

REMITTANCE ADVICE [REF0000360261].xls

Resource

win7-20221111-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

REMITTANCE ADVICE [REF0000360261].xls

Resource

win10v2004-20220812-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha13/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  REMITTANCE ADVICE [REF0000360261].xls
- Size
  
  1.0MB
- MD5
  
  9440bad2a57747bf88aa508e26485ddc
- SHA1
  
  a3242607f6570536eafda3b6f4d3f30da560e2f5
- SHA256
  
  83b5e2491136b593198de29997b791e88e7d5a3e6472caae44902191e6266e52
- SHA512
  
  1fd31386fad6eedbffe869a05552741a9bacbb237e8ca5e66b8c309320011925fc7a7ec57cf27df38b3d3535e8ca3e8e85510d262605c104166f57dac8dd79ce
- SSDEEP
  
  24576:bFefqLFRIcBFe3MdGoo5ncQVSyjAcZDek:5lpzGEtQV9fll
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy