lokibot | a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650 | Triage

Submit
Reports

Overview

overview

Static

static

1

009652ad8c...18.rtf

windows7-x64

009652ad8c...18.rtf

windows10-2004-x64

1

Sharing

General

Target

009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118
Size

552KB
Sample

240426-mst4maef92
MD5

009652ad8cba8a42caa9db1c8d0931b7
SHA1

e1bdb522bcdf2651f9a4137efc6ec6a7d824b734
SHA256

a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650
SHA512

6029d9b677bef6b49042bd90eb313db1ac1e609b8fcafa685af21a8c275d28af208b63e945e80c0a87d43b6d881a3785aadba6229a61ed969dfa642ebabaa980
SSDEEP

6144:hZmqhX7z0trUCSkKampadWo7C9VT+fw+70k5Xks4Rxqb++wi6RanU/E1W6w5Yh+4:HktZKtpaYTFtk514Sae6Raeqrh+WS4

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf

Resource

win7-20240221-en

lokibot collection spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118.rtf

Resource

win10v2004-20240419-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://185.24.233.117/~zadmin/aps/cache.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  009652ad8cba8a42caa9db1c8d0931b7_JaffaCakes118
- Size
  
  552KB
- MD5
  
  009652ad8cba8a42caa9db1c8d0931b7
- SHA1
  
  e1bdb522bcdf2651f9a4137efc6ec6a7d824b734
- SHA256
  
  a143e1fd552ef8f869e937f0e0362b1b0a6af16ab1668e588c780c101dcb4650
- SHA512
  
  6029d9b677bef6b49042bd90eb313db1ac1e609b8fcafa685af21a8c275d28af208b63e945e80c0a87d43b6d881a3785aadba6229a61ed969dfa642ebabaa980
- SSDEEP
  
  6144:hZmqhX7z0trUCSkKampadWo7C9VT+fw+70k5Xks4Rxqb++wi6RanU/E1W6w5Yh+4:HktZKtpaYTFtk514Sae6Raeqrh+WS4
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy