lokibot | 2cd2338a1d4696536ac38aace5d280c73da98821ec06550d00c1138f7914a53f | Triage

Submit
Reports

Overview

overview

Static

static

1

e96b78b304...fc.rtf

windows7-x64

e96b78b304...fc.rtf

windows10-2004-x64

1

Sharing

General

Target

de8dccb1065c19531df50171d73ed6be.bin
Size

22KB
Sample

230922-csf7naea43
MD5

9e12f8952dacaa944ba8e86c93166ee6
SHA1

25892f3d2c5a225795c2732c80613427943afc4a
SHA256

2cd2338a1d4696536ac38aace5d280c73da98821ec06550d00c1138f7914a53f
SHA512

1009ef8620566cc6c3e64644fece669c3c0e3fef17b4b2a4c90ddb5e4b2c6532b0eaea2a871f396b2dbefb4525c13df0aca91e463ec905ffe71cbbd5f360a91a
SSDEEP

384:Qv2S/2FFJTPaTdL7KXOfVDq8wu9i0I3rOq04gZbkW7Rqavv:W2hLa5S+dDqn01q0vFkydH

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

e96b78b304d36170a18e1aaf50547133ddf8ab10925da128946136ce87e02cfc.rtf

Resource

win7-20230831-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

e96b78b304d36170a18e1aaf50547133ddf8ab10925da128946136ce87e02cfc.rtf

Resource

win10v2004-20230915-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://kelly.chinacarbonfiber.buzz/_errorpages/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  e96b78b304d36170a18e1aaf50547133ddf8ab10925da128946136ce87e02cfc.bin
- Size
  
  82KB
- MD5
  
  de8dccb1065c19531df50171d73ed6be
- SHA1
  
  460332fa5c184a49e4d2a6012608a5b08004b4a8
- SHA256
  
  e96b78b304d36170a18e1aaf50547133ddf8ab10925da128946136ce87e02cfc
- SHA512
  
  33c7d634c3892b3288c77fb185d554316ec35e2510dd6cc240186f24edbaa166b77bcb130a51931a32552946522e995f3a7ad9974e6f3a31e889236fc509aef7
- SSDEEP
  
  768:kwAbZSibMX9gRWjGwWgmbZWoUpEcU5igQc+B5Sr82lQXvuc4F:kwAlRr2EcaigQc+B5Sg6m4F
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2023

Terms | Privacy