Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
03-03-2024 01:40
General
-
Target
Stealer/Lokibot.exe
-
Size
300KB
-
MD5
f52fbb02ac0666cae74fc389b1844e98
-
SHA1
f7721d590770e2076e64f148a4ba1241404996b8
-
SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
-
SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
SSDEEP
3072:bGSHTJKB/DA8SBV7Nr6JD6u8w/CpLmrCpLmlrudATPTVWZV5wx3nu9B6jFdnp:bGSzYBchvEJD6LpZj+PTa7wx36AjX
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Stealer\Lokibot.exe"2⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
80KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
328KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
648KB