lokibot | ce8bbc09521bc9bd7a358e4fbbe370962e22b91a78c8d895716ef98a1daaaf77 | Triage

Sharing

General

Target

Final_Test.pdf
Size

530KB
Sample

240421-tt68xaeh93
MD5

ce6ba3df1d57ade7830c5315d77c9311
SHA1

251e75ac4468d26f76eaa9fe6458e169d3757dd4
SHA256

ce8bbc09521bc9bd7a358e4fbbe370962e22b91a78c8d895716ef98a1daaaf77
SHA512

b35cd30bd0ed8a4faab706ec0ec0c5c2494764f5a4a8f6cf416341f868a257e54f8d0ecbfd6523f3fc42fc914dd487a5cc14d86f433a8c5ae8775e131f4c50e6
SSDEEP

12288:0/dqneaMkgoWOtT1oslIRJUfLKvxMiFS9/j+esTCmuPcB:0/dqe1PoZt5HMgLo2micB

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://meta-mim.in/wp-includes/js/pzy/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes

activex_autorun
true
activex_key
{84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
IRobWUAG
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Avast
use_mutex
true

Targets

- Target
  
  Final_Test.pdf
- Size
  
  530KB
- MD5
  
  ce6ba3df1d57ade7830c5315d77c9311
- SHA1
  
  251e75ac4468d26f76eaa9fe6458e169d3757dd4
- SHA256
  
  ce8bbc09521bc9bd7a358e4fbbe370962e22b91a78c8d895716ef98a1daaaf77
- SHA512
  
  b35cd30bd0ed8a4faab706ec0ec0c5c2494764f5a4a8f6cf416341f868a257e54f8d0ecbfd6523f3fc42fc914dd487a5cc14d86f433a8c5ae8775e131f4c50e6
- SSDEEP
  
  12288:0/dqneaMkgoWOtT1oslIRJUfLKvxMiFS9/j+esTCmuPcB:0/dqe1PoZt5HMgLo2micB
Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan