lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

4d09e2d279b49da3985d586565a7a2cf_JaffaCakes118
Size

330KB
Sample

240516-z242eagf5t
MD5

4d09e2d279b49da3985d586565a7a2cf
SHA1

5f8eee081d6b45ec6789d6c0f05b5c4290c2ee47
SHA256

37b3fa9a0fad103ba7311948f3eff98779253409556488638ffe057e435d812d
SHA512

873cbd01f63bc3c1f2adbea0f96730c486dad035b091d752d83c37f1418be3f9e24ea85d2f209b34307b482bfc94343a7f5ea60fbc8b70d54c95126d52fc44c4
SSDEEP

6144:2PCganNz2o5SG/gh1maTxZ/b0yPzCI/GKpEQ6/4+DsVM:Eanx2tG/h8xtb0yPNpEQ6/n

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://remzclot.ga/etc/main/l09/ap0s/home.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  4d09e2d279b49da3985d586565a7a2cf_JaffaCakes118
- Size
  
  330KB
- MD5
  
  4d09e2d279b49da3985d586565a7a2cf
- SHA1
  
  5f8eee081d6b45ec6789d6c0f05b5c4290c2ee47
- SHA256
  
  37b3fa9a0fad103ba7311948f3eff98779253409556488638ffe057e435d812d
- SHA512
  
  873cbd01f63bc3c1f2adbea0f96730c486dad035b091d752d83c37f1418be3f9e24ea85d2f209b34307b482bfc94343a7f5ea60fbc8b70d54c95126d52fc44c4
- SSDEEP
  
  6144:2PCganNz2o5SG/gh1maTxZ/b0yPzCI/GKpEQ6/4+DsVM:Eanx2tG/h8xtb0yPNpEQ6/n
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  $APPDATA/konto-eroeffnen/constants/47.opends60.dll
- Size
  
  48B
- MD5
  
  d1aa2ed18ff6f49b3b8986eb0a48cacf
- SHA1
  
  139973b18359e17f0f34a727bbbf81fab5f75c99
- SHA256
  
  3965d0f1981b3da8dea582e371a0862100455809cef13164f9bd6dd59d44c2df
- SHA512
  
  d68cbe61358f229c1faedc310ed57c5b7dc0b325e22879a84e6036b585e4821ef2e562da4832d035a9cce8ebf8e79a2649d0f15ec212433d65979285e99992a1
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/konto-eroeffnen/constants/MFC80JPN.dll
- Size
  
  48KB
- MD5
  
  3e9b3cadc71ab38ff8183299ef772367
- SHA1
  
  4c9a4f181c31b92af497996a5f9c28b549633f12
- SHA256
  
  d688bbc45a22814403bda7609ec1650589f5d0acb8287ad72c6e493d51441e27
- SHA512
  
  4e49cd5737213dde86e662a12df5c0feb94adc30d54d5dc9219285047526ca0e6899ee59a3027cc2572b8c79f4af97c9b8a5392b911ddb873d734537d90a6e60
- SSDEEP
  
  384:hDNCysL/tAGqyVVp7vheBWlWRUJkQbXDr10Jh8I2Bb4:hZXsZAGDN7vQtUJkkr10IIc4
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/konto-eroeffnen/constants/MicrosoftWindowsCEForms.dll
- Size
  
  19KB
- MD5
  
  d818d217b0a8055ae995e94a6caa9db3
- SHA1
  
  f8d9307e9ce7803f48a37778e935ba114a492b12
- SHA256
  
  cbba64117b44e28ba4d05f74d4b11b9770922dfaf50d46316227c5012913068d
- SHA512
  
  55b907a136563dcfbe85ef38c1599f76f6b77c7bdd9ef52d708f5fa783bb5ad1c5a01138473e835efca10abb733ae6a03532ca2ec7414e7edc4caaca95fd8b03
- SSDEEP
  
  384:IX/u/+j0QSjE1tmD6NQq36jWa7NEhN3JkWXjYWSYLCcM36mn9:Cj0rg7Q6NYYL3u6Y9
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/konto-eroeffnen/constants/makecert.exe
- Size
  
  39KB
- MD5
  
  ed1c00557cde869caa963bbf9c820f05
- SHA1
  
  53bbd8b86fcbee9316e02af399634522b12539b0
- SHA256
  
  4d50ce341be70511e9a871dd347b3f5793ea97787cdfc92045c0bcc8aae6e298
- SHA512
  
  509afc51b647a6904a3a4abf04b43dfaee5fa0878c3a822fce84dd58ce2ab1c15a38610487c520ca6f7c42ed37d754df55a82b0a81a28d31493f2535d9568405
- SSDEEP
  
  768:fqKIjHhW0CfW0FKT7vZKP1xG69D1/gEehcaLnTJ/2acSd:3RnfW0eoPPXpCnTJ/2acSd
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/texis/71.opends60.dll
- Size
  
  49B
- MD5
  
  47afaddd615c7585bcaa3998841c07f1
- SHA1
  
  a90d4d3796b98e84ebaae1e5525c73760b6d8cde
- SHA256
  
  e8292fb07ef7ba6c6cbf970494d14baa6107cd84a8f8a421f16c77e423e0f531
- SHA512
  
  05b52ec788b1f996ff9fda517737ba2059ac520234558eb54f0a73668001f87eebacb709c2bd5010c2dfb006d4bf98e178141fd986f8a919ba286ca2a8f720eb
Score

1^/10
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0063d48afe5a0cdc02833145667b6641
- SHA1
  
  e7eb614805d183ecb1127c62decb1a6be1b4f7a8
- SHA256
  
  ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
- SHA512
  
  71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
- SSDEEP
  
  192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
Score

3^/10
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  6e64e5d5f9498058a300b26b8741d9d5
- SHA1
  
  837ce28e5e02788da63a7f1d8f20207d2b0bf523
- SHA256
  
  8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33
- SHA512
  
  f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e
- SSDEEP
  
  96:oWW4JlD3c151V1gQoE8cxM2DjDf3GEst+Nt+jvcx4P8qndYv0PLE:oWp3ggQF8REskpx8dO0PLE
Score

3^/10
behavioral15 behavioral16
- Target
  
  $TEMP/Holotype.dll
- Size
  
  41KB
- MD5
  
  4b02b0b9a0cc891ff025510c605f08bd
- SHA1
  
  42c00ef177b2b4900eb982096c31c55ea636abe9
- SHA256
  
  383d775daef2b8cb6c5d055851ca23b1328d3a75edc01d0801ae72f429b667df
- SHA512
  
  a77ee6c2ef97f2898a4d3007c03a6856d98581251e6160bddd3d5f86ed433a06c5d2edba378abad5a664478b803ac1dd3161de0c74e1f4eacfb8718a08b8843c
- SSDEEP
  
  768:zSIY+guIUaTVNRhwUmnTEDm3vyU12wftb:HYnlhNv+4U1rfZ
Score

10^/10

lokibot spyware stealer trojan collection
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral17 behavioral18
- Target
  
  $TEMP/public_ftp/42.opends60.dll
- Size
  
  54B
- MD5
  
  4fd523513269bfc51954110c8317ef1c
- SHA1
  
  e270f7b387c49491722ceda7e5fdf77caaba9556
- SHA256
  
  97e327f5e11afd404d9f48b6aeab7353ec91daea8a592945f5f32faf82232203
- SHA512
  
  0f0a4515db50d0174904b5e4fbe5f42a871eaf5a88576b3fe53f6f05fe0ffd0b32488e2bf4bc2e7fbb5d76f808e616af3a41339202e0566c0ef8cefc51c48756
Score

1^/10
behavioral19 behavioral20
- Target
  
  $TEMP/public_ftp/47.opends60.dll
- Size
  
  48B
- MD5
  
  d1aa2ed18ff6f49b3b8986eb0a48cacf
- SHA1
  
  139973b18359e17f0f34a727bbbf81fab5f75c99
- SHA256
  
  3965d0f1981b3da8dea582e371a0862100455809cef13164f9bd6dd59d44c2df
- SHA512
  
  d68cbe61358f229c1faedc310ed57c5b7dc0b325e22879a84e6036b585e4821ef2e562da4832d035a9cce8ebf8e79a2649d0f15ec212433d65979285e99992a1
Score

1^/10
behavioral21 behavioral22
- Target
  
  $TEMP/public_ftp/MicrosoftVisualJUpgradeEngineInterface.dll
- Size
  
  7KB
- MD5
  
  20712da756917c247c0b6b00bb323a92
- SHA1
  
  3839d561e4f98f90d1d6927f18da38c52c29487a
- SHA256
  
  afae09aa5b7e708b885ad2a54d13db86a7a53b0c1b5b5490e7055ad859f5cc30
- SHA512
  
  442e0f6bf9c7857ed74a840c5d12ceffd362e106fafabeb3a6d1db55f82c8ad2cb188c4a97ae1dcbd1c17d8fa0950636c2b3aaa8226bb44eedf4384c2eded9bd
- SSDEEP
  
  96:B1ylB3oTgvhx6h2s6CX67RHY8O3mw1NRg2V2Ey2+E/M5dgiL3QN18xv+OKf3zzDn:Ng5whoCgHSVuKi68xWWLbNKOWN
Score

1^/10
behavioral23 behavioral24
- Target
  
  $TEMP/public_ftp/VB7TLDUI.dll
- Size
  
  15KB
- MD5
  
  0e492f70d49ed66ff7471d87c59f3489
- SHA1
  
  b35d34c232903f4ff0aa8de5082d1bccdd78cf67
- SHA256
  
  c94c8a2709401aad4a1e59ef412db3c12aff855b85fcdfe635e70b0ea2420aa1
- SHA512
  
  1f796a2c1360a41a7558b57043c09b2ebeef5fdeaab71cc53af0d28d9b467f43d5a6aee9b4adb0f17adee5f1d4458dbe9e374815fe434f8e8c278fe829a909d6
- SSDEEP
  
  192:laUmA3jzxOnLkv6N3Xz6vrkonZCwnRDcWWqf7L/CldolMvMjGwPgMvws+ebMNOk9:AncYD6LIwnVcWjTLCcY+wCbsOc9j
Score

1^/10
behavioral25 behavioral26
- Target
  
  $TEMP/public_ftp/VSMigrateUI.dll
- Size
  
  15KB
- MD5
  
  8a5d7b38d9bdd2d1c69a0e93147406fc
- SHA1
  
  543d2409257eeba9387bc281f100adf5dbc77966
- SHA256
  
  6a0062f006f1eb13c641a841b7dabf7dbdc810f946bffd9282f72141a72d3bd3
- SHA512
  
  e3b3dcb12986995cb943a449ae80acf48ba6abe7e35673337595f919f9bc821313d35c4708657461c152cf36b1aa29c9ee32b7c9b8332da9b90b4ed2297e9150
- SSDEEP
  
  192:lZxn3fUnucJHN3Xz6vrk9l4cWLAwYWep+/WWqfkIL/CldolMvMjGwPgMvws+ebMg:xP6D6ml4cWLAwNes/WjbLCcY+wCbsOF
Score

1^/10
behavioral27 behavioral28
- Target
  
  $TEMP/public_ftp/gzexe
- Size
  
  5KB
- MD5
  
  5707c43e99bd5ae2c4660ec1bcc213c1
- SHA1
  
  c6247c24928bebbd3a6b74cf499e153f5673e590
- SHA256
  
  6de8254cfd49543097ae946c303602ffd5899b2c88ec27cfcd86d786f95a1e92
- SHA512
  
  e7b1fe76b6c901531dec4369a7086eaf1e49a23cfef4d761e6b65fd4c505584f28b1d7f26089f14b963c997ac85dd6c310af0e01e0c51783481eb309a5aa08be
- SSDEEP
  
  96:KFM9R/fxEoPzmAdCbu3mQTfE9u550zbZC7A+yR+X67/cDbffJD6xP85BYk:GM9R/fWo7mAdCMmOuq0z1Cc+yR+X6zcz
Score

1^/10
behavioral29 behavioral30 behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Lokibot

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32