lokibot | ba45bd57955b02375e7aaf23a00a02343506d3b1789a1e33dd51c20ff4b083e9 | Triage

Submit
Reports

Overview

overview

Static

static

e270a30a-6...3.docx

windows7-x64

e270a30a-6...3.docx

windows10-2004-x64

1

Sharing

General

Target

e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
Size

10KB
Sample

230310-xe59vaeh59
MD5

d0a30c0613166d9eff01470fd074f7fc
SHA1

54832f5e30a4588211a212fc55d14dc9b23a656c
SHA256

ba45bd57955b02375e7aaf23a00a02343506d3b1789a1e33dd51c20ff4b083e9
SHA512

d088ff01822976d6de61d9d801fb9eecb56d27b842f54023213b051d05ebe8dd267082e36baf3bbf4105accc5bc5a892f3140225cd8dfaedac2b55412857d95c
SSDEEP

192:ScIMmtP1aIG/bslPL++uOR4nl+CVWBXJC0c3Pp:SPXU/slT+LOR6HkZC9B

Score

10^/10

lokibot collection spyware stealer trojan websettings

Static task

static1

Behavioral task

behavioral1

Sample

e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx

Resource

win7-20230220-en

lokibot collection spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx

Resource

win10v2004-20230220-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://yyyyyYYYYUUSUUUUUUU3243242UUU23U423U4UU2UWWWWW8W8W7W8WWWWWWW878W8W8WW78WWWW87W87W88WEEW787888W88W8W@1806685202/ru2........................doc

Extracted

Family

lokibot

C2

http://185.246.220.60/shen/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
- Size
  
  10KB
- MD5
  
  d0a30c0613166d9eff01470fd074f7fc
- SHA1
  
  54832f5e30a4588211a212fc55d14dc9b23a656c
- SHA256
  
  ba45bd57955b02375e7aaf23a00a02343506d3b1789a1e33dd51c20ff4b083e9
- SHA512
  
  d088ff01822976d6de61d9d801fb9eecb56d27b842f54023213b051d05ebe8dd267082e36baf3bbf4105accc5bc5a892f3140225cd8dfaedac2b55412857d95c
- SSDEEP
  
  192:ScIMmtP1aIG/bslPL++uOR4nl+CVWBXJC0c3Pp:SPXU/slT+LOR6HkZC9B
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy