lokibot | d9644e542d46df6aaaf06413336870607c3b6c23bf7088d98b912b96ceb644b4 | Triage

Sharing

General

Target

5a4b5d2da6ea58c3facadc9adf9b0eff_JaffaCakes118
Size

1.9MB
Sample

240519-tr8nyseh49
MD5

5a4b5d2da6ea58c3facadc9adf9b0eff
SHA1

3731c810f59c1c7811a2f876ba9fe55c299af171
SHA256

d9644e542d46df6aaaf06413336870607c3b6c23bf7088d98b912b96ceb644b4
SHA512

5f341d959c6e0b5f2e545e186611236d774ed8b4cf64bf90706274872405f26457e2a035dff370d2d8f66396612628c0f9cfbfec3c34a0c0acb8e226d46d6f72
SSDEEP

49152:53gPy3EOvdXv4sLOyGkB27eGh0qMthvTFjGygKe:5R3dVsyGYo0dfaxN

Score

10^/10

lokibot collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.46.222.135/lewy/lewy/sun/best/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  5a4b5d2da6ea58c3facadc9adf9b0eff_JaffaCakes118
- Size
  
  1.9MB
- MD5
  
  5a4b5d2da6ea58c3facadc9adf9b0eff
- SHA1
  
  3731c810f59c1c7811a2f876ba9fe55c299af171
- SHA256
  
  d9644e542d46df6aaaf06413336870607c3b6c23bf7088d98b912b96ceb644b4
- SHA512
  
  5f341d959c6e0b5f2e545e186611236d774ed8b4cf64bf90706274872405f26457e2a035dff370d2d8f66396612628c0f9cfbfec3c34a0c0acb8e226d46d6f72
- SSDEEP
  
  49152:53gPy3EOvdXv4sLOyGkB27eGh0qMthvTFjGygKe:5R3dVsyGYo0dfaxN
Score

10^/10

lokibot collection evasion persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionpersistencespywarestealertrojan

behavioral2

lokibotcollectionevasionpersistencespywarestealertrojan