lokibot | 796faee4e99839d1dd11e7bc1205e67cd89fe31bb6fa6ab2743310868935f671 | Triage

Sharing

General

Target

3cb0e7646266b60650aa554f75bd9c0b.bin
Size

1.0MB
Sample

240515-cs9h7sdb44
MD5

3cb0e7646266b60650aa554f75bd9c0b
SHA1

c018d025eb56c4fe7fdd19b2e2169c85f7da55a8
SHA256

796faee4e99839d1dd11e7bc1205e67cd89fe31bb6fa6ab2743310868935f671
SHA512

f275b38d8e019ff79e4d42f91449ed14707dcd373f6c158ac61ae70d0038baf70680decc4656c3b7dd9e22fd9c6b9e2ed3ff4967c2a5a7948dfc49825c836fa7
SSDEEP

24576:rmoO8itEqfZgX7kwa6chgOr00MNFe32UkqD/XDuH+D:qvZ+a6BOKFe32UkC+O

Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://fiftint.com/v-2/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  3cb0e7646266b60650aa554f75bd9c0b.bin
- Size
  
  1.0MB
- MD5
  
  3cb0e7646266b60650aa554f75bd9c0b
- SHA1
  
  c018d025eb56c4fe7fdd19b2e2169c85f7da55a8
- SHA256
  
  796faee4e99839d1dd11e7bc1205e67cd89fe31bb6fa6ab2743310868935f671
- SHA512
  
  f275b38d8e019ff79e4d42f91449ed14707dcd373f6c158ac61ae70d0038baf70680decc4656c3b7dd9e22fd9c6b9e2ed3ff4967c2a5a7948dfc49825c836fa7
- SSDEEP
  
  24576:rmoO8itEqfZgX7kwa6chgOr00MNFe32UkqD/XDuH+D:qvZ+a6BOKFe32UkC+O
Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader First Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotmodiloadercollectionpersistencespywarestealertrojan

behavioral2

modiloaderpersistencetrojan