lokibot | bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8 | Triage

Submit
Reports

Overview

overview

Static

static

1

3dab021a3f...18.msi

windows7-x64

3dab021a3f...18.msi

windows10-2004-x64

Sharing

General

Target

3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118
Size

412KB
Sample

240514-dnlf9age6w
MD5

3dab021a3f3de36764faea9bdf6a58a4
SHA1

db94f26d20b10730445deb16a1c2b521b4f15849
SHA256

bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8
SHA512

8ef5db5de0e100f06f45b34cd28b564b3cc792fd284fcd87f647b3c35683114751925359b65f5aec829dd65ed8c3e99ec889275c7d6e6f2d179c8b7c855af998
SSDEEP

12288:yEHgAVG3oSEKyNJD4xEbMMEOn8c23H93:yEAlyVNJD8qR8c2X

Score

10^/10

lokibot zgrat agilenet collection persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi

Resource

win7-20240221-en

lokibot zgrat agilenet collection persistence rat spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118.msi

Resource

win10v2004-20240426-en

zgrat agilenet persistence rat

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://agroinovate.online/baminews/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  3dab021a3f3de36764faea9bdf6a58a4_JaffaCakes118
- Size
  
  412KB
- MD5
  
  3dab021a3f3de36764faea9bdf6a58a4
- SHA1
  
  db94f26d20b10730445deb16a1c2b521b4f15849
- SHA256
  
  bd3b6502224d6aa64a38ec8854d9aa4d015c803b90bf5ccc2527f5d3021fbaf8
- SHA512
  
  8ef5db5de0e100f06f45b34cd28b564b3cc792fd284fcd87f647b3c35683114751925359b65f5aec829dd65ed8c3e99ec889275c7d6e6f2d179c8b7c855af998
- SSDEEP
  
  12288:yEHgAVG3oSEKyNJD4xEbMMEOn8c23H93:yEAlyVNJD8qR8c2X
Score

10^/10

lokibot zgrat agilenet collection persistence rat spyware stealer trojan
- Detect ZGRat V1
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotzgratagilenetcollectionpersistenceratspywarestealertrojan

behavioral2

zgratagilenetpersistencerat

© 2018-2024

Terms | Privacy