lokibot | 7f33703ff5f3e826d4209149419211632cb3fc6599bee182fcbb7fd225e64ab8 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

ee6851f7c6...e0.rtf

windows7-x64

ee6851f7c6...e0.rtf

windows10-2004-x64

1

Sharing

General

Target

ee6851f7c64b5d019791616cc442f6e0.rtf
Size

23KB
Sample

230512-bgm1dsdd81
MD5

ee6851f7c64b5d019791616cc442f6e0
SHA1

72af3b772764ba00ceee26e48915dd800365c386
SHA256

7f33703ff5f3e826d4209149419211632cb3fc6599bee182fcbb7fd225e64ab8
SHA512

d7a2221aec0d367e958342f50dc7b87d2e843ac32d92b25e642d9e607e00117d9bd8159d71f5b3405c713385a87398d788c480ffcaa4ea031dd2fb1aa070f91b
SSDEEP

384:bIufFIHAYQiQixve/9xujA152GUxm/JmVAi2k9uVcdOD5T8JX5QsR7oF5QEE2:bFtIHAcQixve/9xujAD2bxm/JsJ5R7ob

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

ee6851f7c64b5d019791616cc442f6e0.rtf

Resource

win7-20230220-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

ee6851f7c64b5d019791616cc442f6e0.rtf

Resource

win10v2004-20230220-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/mancho/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  ee6851f7c64b5d019791616cc442f6e0.rtf
- Size
  
  23KB
- MD5
  
  ee6851f7c64b5d019791616cc442f6e0
- SHA1
  
  72af3b772764ba00ceee26e48915dd800365c386
- SHA256
  
  7f33703ff5f3e826d4209149419211632cb3fc6599bee182fcbb7fd225e64ab8
- SHA512
  
  d7a2221aec0d367e958342f50dc7b87d2e843ac32d92b25e642d9e607e00117d9bd8159d71f5b3405c713385a87398d788c480ffcaa4ea031dd2fb1aa070f91b
- SSDEEP
  
  384:bIufFIHAYQiQixve/9xujA152GUxm/JmVAi2k9uVcdOD5T8JX5QsR7oF5QEE2:bFtIHAcQixve/9xujAD2bxm/JsJ5R7ob
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy