lokibot | 309349b4cedd1c5d2ee575109e7382788986b292d51ebe3ed606fc2618759152 | Triage

Submit
Reports

Overview

overview

Static

static

1

17b640449a...75.rtf

windows7-x64

17b640449a...75.rtf

windows10-2004-x64

1

Sharing

General

Target

f4b2703a921facad2c48fdecca12ae21.bin
Size

10KB
Sample

230605-qc2ejshc8y
MD5

5d627d650d4b0069d40c5dfc243dcaca
SHA1

a7ec340cd670e9d9463b003bdc756820eec6d567
SHA256

309349b4cedd1c5d2ee575109e7382788986b292d51ebe3ed606fc2618759152
SHA512

0be482f75a1ed27dc45d400205114e20acb8a81f11bcdc766eb9217bd6c22b40370e9389b692c966808d293bb3c424ebac29e53eb17d11f3a2529a7004e9b9a9
SSDEEP

192:r+o28oTXIq4I6dTURZaH84IW/t+RD5PYCZPgS6YYNQdicepihIeBxw568Rwn:r/28oTXIq/aH843t+1ZPKTQKkha5An

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

17b640449aa90a91d32537b3206b270952e61270442a74a43bfefbe8d1cb6275.rtf

Resource

win7-20230220-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

17b640449aa90a91d32537b3206b270952e61270442a74a43bfefbe8d1cb6275.rtf

Resource

win10v2004-20230221-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/line/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  17b640449aa90a91d32537b3206b270952e61270442a74a43bfefbe8d1cb6275.rtf
- Size
  
  22KB
- MD5
  
  f4b2703a921facad2c48fdecca12ae21
- SHA1
  
  020a8ebfa0b76d556b782bca144e644ac30b0c74
- SHA256
  
  17b640449aa90a91d32537b3206b270952e61270442a74a43bfefbe8d1cb6275
- SHA512
  
  18282e7036e77ec13aa7eda579922745cda35cee7c688fc5b70f8579cdcf38a8cf6764bef7daeaaf10e9d79f8546667b9c2d4fe2dc4ef8fa9a02f3fde92374ae
- SSDEEP
  
  384:Ro7824atE1XTk5IuhWa2209yH1SawV7iMbvwxyyhHihCI1MMTx/egA6u0rN2YB:rbayY5IuI2oyH17wV7iAvknhHihCI1Mq
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy