lokibot | 6748602c4e2c7d5be5371a81d91ed53259caa331cfb073f243f7b148e47dedd1 | Triage

Sharing

General

Target

4df0ae76281a4e9d9a670337f0b962bd_JaffaCakes118
Size

545KB
Sample

240517-b9gzvacb26
MD5

4df0ae76281a4e9d9a670337f0b962bd
SHA1

b2a10910a23256a658dd600fed35d7f6c99fcb9c
SHA256

6748602c4e2c7d5be5371a81d91ed53259caa331cfb073f243f7b148e47dedd1
SHA512

2f8e997403ac3bf832e3e1bfe377874780ff0be69041dc2b8a15797b8dad4cb04b8fc20b8cbe3d9513999a9ddbd3984fdc24b17a902c8169d1b46f2d753a2071
SSDEEP

12288:K6zxPmG9TejLV8StyVxcxgyYQGPNc0/vM2qvge5sQ:RzxPjU8St8cChcf2qvgar

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://parkrosegroup.info/lewy/sun/emmy/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  4df0ae76281a4e9d9a670337f0b962bd_JaffaCakes118
- Size
  
  545KB
- MD5
  
  4df0ae76281a4e9d9a670337f0b962bd
- SHA1
  
  b2a10910a23256a658dd600fed35d7f6c99fcb9c
- SHA256
  
  6748602c4e2c7d5be5371a81d91ed53259caa331cfb073f243f7b148e47dedd1
- SHA512
  
  2f8e997403ac3bf832e3e1bfe377874780ff0be69041dc2b8a15797b8dad4cb04b8fc20b8cbe3d9513999a9ddbd3984fdc24b17a902c8169d1b46f2d753a2071
- SSDEEP
  
  12288:K6zxPmG9TejLV8StyVxcxgyYQGPNc0/vM2qvge5sQ:RzxPjU8St8cChcf2qvgar
Score

10^/10

lokibot collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan