lokibot | 782b974af31ff9999e5449f9a675ea18d97d26456a277327b1e492c539e14ece | Triage

Sharing

General

Target

3825efd5fcbdde5bd2a250c08d335c91_JaffaCakes118
Size

512KB
Sample

240512-elfcwsag33
MD5

3825efd5fcbdde5bd2a250c08d335c91
SHA1

8337c955226c5568fb81a5cba795ddb34b86ce77
SHA256

782b974af31ff9999e5449f9a675ea18d97d26456a277327b1e492c539e14ece
SHA512

caa5274799517e73e96f1ffd089a7797f9fda4b5df34a9ba634fb13bc685ab68733c80594a01d239490d9768f4e7f9ac88f8be24dc540a0032b8657d53cc2c36
SSDEEP

3072:Z9VkLyI8bS7A7WGAXLKEHpImmRxOt47AEsEUgOqWr6:fWN8bS7rjXWEJImmRQ27ADE

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://rijadeja.online//wp-admin/lang/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

brioushde.sytes.net:1982

Attributes

activex_autorun
true
activex_key
{54Q7I7SW-LW5J-T8RK-0CO4-V2U623687CI6}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
MPkcWYro
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Targets

- Target
  
  3825efd5fcbdde5bd2a250c08d335c91_JaffaCakes118
- Size
  
  512KB
- MD5
  
  3825efd5fcbdde5bd2a250c08d335c91
- SHA1
  
  8337c955226c5568fb81a5cba795ddb34b86ce77
- SHA256
  
  782b974af31ff9999e5449f9a675ea18d97d26456a277327b1e492c539e14ece
- SHA512
  
  caa5274799517e73e96f1ffd089a7797f9fda4b5df34a9ba634fb13bc685ab68733c80594a01d239490d9768f4e7f9ac88f8be24dc540a0032b8657d53cc2c36
- SSDEEP
  
  3072:Z9VkLyI8bS7A7WGAXLKEHpImmRxOt47AEsEUgOqWr6:fWN8bS7rjXWEJImmRQ27ADE
Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

behavioral2

lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan