lokibot | 3a37259359d9dbf66ab69fc0cc456ca1840731c77415fd12aef9a13a99e3ff1a | Triage

Submit
Reports

Overview

overview

Static

static

1

SecuriteIn...87.rtf

windows7-x64

SecuriteIn...87.rtf

windows10-2004-x64

1

Sharing

General

Target

SecuriteInfo.com.Exploit.CVE-2018-0798.4.3772.16087.rtf
Size

344KB
Sample

240508-lggtgsdg6v
MD5

5681ef4b72b5ee6da9a3ca1ab8ec0c90
SHA1

7f60fe99367dac70d31a1e9637437f6cfbd2f216
SHA256

3a37259359d9dbf66ab69fc0cc456ca1840731c77415fd12aef9a13a99e3ff1a
SHA512

8f11d9c2f0146435e8c0b60df008c70960533b05ca7b4fbc123d2a337ac0329e78af7a1e4695e1d501036d4dbfcfce972cf8cb0c3ad6b5e916657f72d9ce9b8d
SSDEEP

6144:PwAYwAYwAYwAYwAYwAYwAYwAYwAYwAys/Dff:u

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.3772.16087.rtf

Resource

win7-20240221-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.3772.16087.rtf

Resource

win10v2004-20240419-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SecuriteInfo.com.Exploit.CVE-2018-0798.4.3772.16087.rtf
- Size
  
  344KB
- MD5
  
  5681ef4b72b5ee6da9a3ca1ab8ec0c90
- SHA1
  
  7f60fe99367dac70d31a1e9637437f6cfbd2f216
- SHA256
  
  3a37259359d9dbf66ab69fc0cc456ca1840731c77415fd12aef9a13a99e3ff1a
- SHA512
  
  8f11d9c2f0146435e8c0b60df008c70960533b05ca7b4fbc123d2a337ac0329e78af7a1e4695e1d501036d4dbfcfce972cf8cb0c3ad6b5e916657f72d9ce9b8d
- SSDEEP
  
  6144:PwAYwAYwAYwAYwAYwAYwAYwAYwAYwAys/Dff:u
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy