lokibot | 54bce9cf5fd3db8c05d14145ea5828a6f03ab64b6cece66b16ca133459c204c5 | Triage

Sharing

General

Target

487bcace9d16acb36dc5aa12e55e33c0_JaffaCakes118
Size

845KB
Sample

240515-25myeagh3x
MD5

487bcace9d16acb36dc5aa12e55e33c0
SHA1

ba96656d047644650069fd48705ad29842842df0
SHA256

54bce9cf5fd3db8c05d14145ea5828a6f03ab64b6cece66b16ca133459c204c5
SHA512

387680843ca96eff819618d52f7cd9d8bf1e9972b6b5f1aa731d3eda6543e68f0032f229c2a78de989b90d5437a094d6c47ba8b0349fdc7ab2744edbcf1b5bd9
SSDEEP

12288:P8Mu7Mo5dsAgikf4CoxPrj+esTCmDXrikd63itFtpunDIr:P8NMfAlNPrK2mHiZ3YFt4Ur

Score

10^/10

lokibot bootkit collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://zedekus.com.ng/badmood/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  487bcace9d16acb36dc5aa12e55e33c0_JaffaCakes118
- Size
  
  845KB
- MD5
  
  487bcace9d16acb36dc5aa12e55e33c0
- SHA1
  
  ba96656d047644650069fd48705ad29842842df0
- SHA256
  
  54bce9cf5fd3db8c05d14145ea5828a6f03ab64b6cece66b16ca133459c204c5
- SHA512
  
  387680843ca96eff819618d52f7cd9d8bf1e9972b6b5f1aa731d3eda6543e68f0032f229c2a78de989b90d5437a094d6c47ba8b0349fdc7ab2744edbcf1b5bd9
- SSDEEP
  
  12288:P8Mu7Mo5dsAgikf4CoxPrj+esTCmDXrikd63itFtpunDIr:P8NMfAlNPrK2mHiZ3YFt4Ur
Score

10^/10

lokibot bootkit collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotbootkitcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan