lokibot | 20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9 | Triage

Resubmissions

08-05-2024 17:36

240508-v63xpahh27 6

08-05-2024 15:41

240508-s4smtsea68 10

Sharing

General

Target

258c60b279a8debef184b5c01766604f_JaffaCakes118
Size

280KB
Sample

240508-s4smtsea68
MD5

258c60b279a8debef184b5c01766604f
SHA1

011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
SHA256

20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
SHA512

50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
SSDEEP

6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K

Score

10^/10

lokibot nanocore collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://arenamedia.co.ke/include/dbes/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

nanocore

Version

1.2.2.0

C2

dbesth1.ddns.net:3455

154.16.220.30:3455

Mutex

3cea4056-063b-4394-b13d-4dc863235987

Attributes

activate_away_mode
true
backup_connection_host
154.16.220.30
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-04-10T23:16:59.261349436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3455
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3cea4056-063b-4394-b13d-4dc863235987
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dbesth1.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  258c60b279a8debef184b5c01766604f_JaffaCakes118
- Size
  
  280KB
- MD5
  
  258c60b279a8debef184b5c01766604f
- SHA1
  
  011f5dda5f08ac9f3ec5723ce3d54ad738f8a367
- SHA256
  
  20a58ef0190c09058cef8c973a92a39a1aa125a350cd47e381d44937983274a9
- SHA512
  
  50d90c2eedbf941d6e38ab8274b11654bcf8b613c8aa03ba10fcc9a4ef29551ed88f47d21bb12c11648e7524a8d1fe73c11e0c8864d01b8c9fe0773952e5c313
- SSDEEP
  
  6144:72j756oaGYq2ygcOCJPExIn52TO18L63E4xK:yj09ygcOQZ5iO1u38K
Score

10^/10

lokibot nanocore collection evasion keylogger spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotnanocorecollectionevasionkeyloggerspywarestealertrojan

behavioral2

lokibotnanocorecollectionevasionkeyloggerspywarestealertrojan