lokibot | 96cf27ee35af69887dc20d882b0e2b82c21ead56700b776beadbd99ab6d27d16 | Triage

Submit
Reports

Overview

overview

Static

static

1

SecuriteIn...72.rtf

windows7-x64

SecuriteIn...72.rtf

windows10-2004-x64

6

Sharing

General

Target

SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
Size

336KB
Sample

240509-lbbqaadd85
MD5

e11c85d6890e5b25aa448b3a8ed79057
SHA1

cf57b870f9e4f516fa35205cf4047548d8985abc
SHA256

96cf27ee35af69887dc20d882b0e2b82c21ead56700b776beadbd99ab6d27d16
SHA512

27f18b3409d318979633c23620ecdf4f859c7411e5cce23c04da06063f06b4af3b0fc6136ac024348fe0ea394902538e6dd5448c0e0f47cbb6caf9019678f0be
SSDEEP

6144:EwAYwAYwAYwAYwAYwAYwAYwAYwAYwAWr4nd+1FKiZ:K

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf

Resource

win7-20240221-en

lokibot collection spyware stealer trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf

Resource

win10v2004-20240508-en

windows10-2004-x64

7 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
- Size
  
  336KB
- MD5
  
  e11c85d6890e5b25aa448b3a8ed79057
- SHA1
  
  cf57b870f9e4f516fa35205cf4047548d8985abc
- SHA256
  
  96cf27ee35af69887dc20d882b0e2b82c21ead56700b776beadbd99ab6d27d16
- SHA512
  
  27f18b3409d318979633c23620ecdf4f859c7411e5cce23c04da06063f06b4af3b0fc6136ac024348fe0ea394902538e6dd5448c0e0f47cbb6caf9019678f0be
- SSDEEP
  
  6144:EwAYwAYwAYwAYwAYwAYwAYwAYwAYwAWr4nd+1FKiZ:K
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy