lokibot | 3df1304cf3bf2f4480a901ed27750912c906bfd604eb1f769a26cb104ff72457 | Triage

Submit
Reports

Overview

overview

Static

static

3

Quotation ...17.exe

windows7-x64

Quotation ...17.exe

windows10-2004-x64

Sharing

General

Target

3df1304cf3bf2f4480a901ed27750912c906bfd604eb1f769a26cb104ff72457.zip
Size

523KB
Sample

240516-bmldradh26
MD5

4eeab23756269f7641c668b985278e37
SHA1

e63325006ec01e2d1a7b0285cae0ad0f7531d3b9
SHA256

3df1304cf3bf2f4480a901ed27750912c906bfd604eb1f769a26cb104ff72457
SHA512

1612b85bb1116f66c78a5dad5c611f9304c4149eee4e11f2b53d27af6ba634128dfb76eeb7a093e4b98126ea75da02fc71bd76f6886c3b6eeab4d8f555c193f4
SSDEEP

12288:z3ZF1K2A/rBoWqQSh7wKYX0v2bZHcrDzc1qNdHsas:V+3eEREaWrDzYqrLs

Score

10^/10

lokibot collection execution spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Quotation No Q240419617.exe

Resource

win7-20240220-en

lokibot collection execution spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

Quotation No Q240419617.exe

Resource

win10v2004-20240508-en

lokibot collection execution spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Quotation No Q240419617.exe
- Size
  
  554KB
- MD5
  
  8331118cac957fd6de499161580db764
- SHA1
  
  944d3f2ed04a7213c5d6774932784e70fa268c26
- SHA256
  
  a1dd7d24763249bcbf451a5c7e58b950e04f365757b627b57546ad80ac00c028
- SHA512
  
  98d5e0e21a96a1eea2217fd60a997570444df51846776debf36eaa336b0bedb637544b43ced0b1b64f0b17a9eb51aa305be8a4609f2cae3d71e0355669d7ed3f
- SSDEEP
  
  12288:05sAXYMjhvPie/rByY7777777777777eEQiRU0pxkoabc+VC1Y6ae2Rg:05sAXYMFniyys207PIc4CK60
Score

10^/10

lokibot collection execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables containing common artifacts observed in infostealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

lokibotcollectionexecutionspywarestealertrojan

© 2018-2024

Terms | Privacy