lokibot | 917af44057dfe75238e0c9ad9c131610f29c0ac1641c631c5b01bb6ae5dfe46e | Triage

Sharing

General

Target

e60c1bc83635a8480e1970205944b7a8_JaffaCakes118
Size

760KB
Sample

240407-2wc2vahb76
MD5

e60c1bc83635a8480e1970205944b7a8
SHA1

583890ea81b7180acc4caf95de8b71371e04885d
SHA256

917af44057dfe75238e0c9ad9c131610f29c0ac1641c631c5b01bb6ae5dfe46e
SHA512

5451c30aa46ef870e4e4cc1d1718d00556ad050d63c8b6dd5377745d80a8b2913c7e12ec803a8d548ef42a07270fa49acaa0c4c8725490a0b6bc28f304af4789
SSDEEP

12288:McaQxt8/QxC4CnDbgDPwFVt2NjFktvUvyYc7MBaxUO7gksCTY2nh3b3HbhQyUl6D:LxHCDb0wFVMNjrvyYc/3qCksh3b16Q

Score

10^/10

lokibot collection evasion spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/S7zr5v1fXI3Rb

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  e60c1bc83635a8480e1970205944b7a8_JaffaCakes118
- Size
  
  760KB
- MD5
  
  e60c1bc83635a8480e1970205944b7a8
- SHA1
  
  583890ea81b7180acc4caf95de8b71371e04885d
- SHA256
  
  917af44057dfe75238e0c9ad9c131610f29c0ac1641c631c5b01bb6ae5dfe46e
- SHA512
  
  5451c30aa46ef870e4e4cc1d1718d00556ad050d63c8b6dd5377745d80a8b2913c7e12ec803a8d548ef42a07270fa49acaa0c4c8725490a0b6bc28f304af4789
- SSDEEP
  
  12288:McaQxt8/QxC4CnDbgDPwFVt2NjFktvUvyYc7MBaxUO7gksCTY2nh3b3HbhQyUl6D:LxHCDb0wFVMNjrvyYc/3qCksh3b16Q
Score

10^/10

lokibot collection evasion spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionspywarestealertrojan

behavioral2

lokibotcollectionevasionspywarestealertrojan