lokibot | 5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e | Triage

Submit
Reports

Overview

overview

Static

static

7

63316b248c...18.exe

windows7-x64

63316b248c...18.exe

windows10-2004-x64

Sharing

General

Target

63316b248c6223c9af780f6702462e72_JaffaCakes118
Size

819KB
Sample

240521-n1zjracf6y
MD5

63316b248c6223c9af780f6702462e72
SHA1

61bbdbe9cc7e769bc6f9487f8e6ce43bb3235191
SHA256

5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e
SHA512

bac1fb7c51a388e28946fef08805cf212393a7297b7808cb72e57eb1be6f3d18eb6825f177e149c2508116c9822935401b1e30227e25678baad75141f604bfd2
SSDEEP

24576:gkdLPuTjvHQ5wtGkmvr2+7k/qKWdAMWdg/9B7W:FM7w5wtGkVWkTOAlGn7W

Score

10^/10

lokibot netwire botnet collection rat spyware stealer trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

63316b248c6223c9af780f6702462e72_JaffaCakes118.exe

Resource

win7-20231129-en

lokibot netwire botnet collection rat spyware stealer trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

63316b248c6223c9af780f6702462e72_JaffaCakes118.exe

Resource

win10v2004-20240508-en

lokibot netwire botnet collection rat spyware stealer trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://fashionstune.com/bd/lok/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

91.192.100.49:3917

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Targets

- Target
  
  63316b248c6223c9af780f6702462e72_JaffaCakes118
- Size
  
  819KB
- MD5
  
  63316b248c6223c9af780f6702462e72
- SHA1
  
  61bbdbe9cc7e769bc6f9487f8e6ce43bb3235191
- SHA256
  
  5c93003e656dfd4f287872c450376c508f3cf514c47df13679e948d0ae9a7a1e
- SHA512
  
  bac1fb7c51a388e28946fef08805cf212393a7297b7808cb72e57eb1be6f3d18eb6825f177e149c2508116c9822935401b1e30227e25678baad75141f604bfd2
- SSDEEP
  
  24576:gkdLPuTjvHQ5wtGkmvr2+7k/qKWdAMWdg/9B7W:FM7w5wtGkVWkTOAlGn7W
Score

10^/10

lokibot netwire botnet collection rat spyware stealer trojan upx
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotnetwirebotnetcollectionratspywarestealertrojanupx

behavioral2

lokibotnetwirebotnetcollectionratspywarestealertrojanupx

© 2018-2025

Terms | Privacy