lokibot | 6290631ed5047788ee684455fa4602b05f806a329cdbc758d0655d00d54e8189 | Triage

Sharing

General

Target

2bb8eff795e74ff189c0bbd6bd01e439_JaffaCakes118
Size

622KB
Sample

240509-z1nb9saa89
MD5

2bb8eff795e74ff189c0bbd6bd01e439
SHA1

89b98ef34938a05d29a36eba1b3684c226cc3a8e
SHA256

6290631ed5047788ee684455fa4602b05f806a329cdbc758d0655d00d54e8189
SHA512

c18def0547436e274e0427850721db8dbe7ad6646cda0f0b899caee3a49b288f012dc43a4e74dcf2b16e93a5c851dfc44d5bf593b28926abc3522140d0bb84a8
SSDEEP

6144:0yHoLoI0KiEPpoQdLuNCaxPiHoftdCo1TJNdXh3JsAKdAfKx/8GcsMBvMCmJp1:0eoLoI0OjokIfO4Jl5KdA+esTCmJ

Score

10^/10

lokibot bootkit collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://rockingworld.gq/paris/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  2bb8eff795e74ff189c0bbd6bd01e439_JaffaCakes118
- Size
  
  622KB
- MD5
  
  2bb8eff795e74ff189c0bbd6bd01e439
- SHA1
  
  89b98ef34938a05d29a36eba1b3684c226cc3a8e
- SHA256
  
  6290631ed5047788ee684455fa4602b05f806a329cdbc758d0655d00d54e8189
- SHA512
  
  c18def0547436e274e0427850721db8dbe7ad6646cda0f0b899caee3a49b288f012dc43a4e74dcf2b16e93a5c851dfc44d5bf593b28926abc3522140d0bb84a8
- SSDEEP
  
  6144:0yHoLoI0KiEPpoQdLuNCaxPiHoftdCo1TJNdXh3JsAKdAfKx/8GcsMBvMCmJp1:0eoLoI0OjokIfO4Jl5KdA+esTCmJ
Score

10^/10

lokibot bootkit collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotbootkitcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionspywarestealertrojan