lokibot | ae78063adec2ca777227c34e426392c866621a57e682e875a29122431dbbfd58 | Triage

Sharing

General

Target

0b85fca069f4cde9d405fbe723b07e3b_JaffaCakes118
Size

2.0MB
Sample

240501-l7v4sscd9t
MD5

0b85fca069f4cde9d405fbe723b07e3b
SHA1

ee4102d7369a2862952695e62041322c549ba70e
SHA256

ae78063adec2ca777227c34e426392c866621a57e682e875a29122431dbbfd58
SHA512

2e58bc8c318476350df6b37ffd20f9fde8b09c5f1e469bef55db5495f77fca077b418eb584fc4887e98a5b9339f9110bcacd6c1ecaff1251eaeb68953627eb0b
SSDEEP

49152:jJCsg2yJSp9WRYdZxJQuELv+CnaKsEJobXdAV1h1CZ6+Hwc4:jssg9JSpeYdZ0u8+CnhsaoOsDHwc4

Score

10^/10

lokibot collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://parkrosegroup.info/lewy/sun/lewy/sun/ebu/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  0b85fca069f4cde9d405fbe723b07e3b_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  0b85fca069f4cde9d405fbe723b07e3b
- SHA1
  
  ee4102d7369a2862952695e62041322c549ba70e
- SHA256
  
  ae78063adec2ca777227c34e426392c866621a57e682e875a29122431dbbfd58
- SHA512
  
  2e58bc8c318476350df6b37ffd20f9fde8b09c5f1e469bef55db5495f77fca077b418eb584fc4887e98a5b9339f9110bcacd6c1ecaff1251eaeb68953627eb0b
- SSDEEP
  
  49152:jJCsg2yJSp9WRYdZxJQuELv+CnaKsEJobXdAV1h1CZ6+Hwc4:jssg9JSpeYdZ0u8+CnhsaoOsDHwc4
Score

10^/10

lokibot collection evasion persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionpersistencespywarestealertrojan

behavioral2

lokibotcollectionevasionpersistencespywarestealertrojan