lokibot | 48262847ce76b06634e13f24a48c29437340eace2314029474d0960ab09cdc26 | Triage

Sharing

General

Target

643370808d5a76f4e803d02e59abd0db_JaffaCakes118
Size

542KB
Sample

240521-wedzxsdd4s
MD5

643370808d5a76f4e803d02e59abd0db
SHA1

1b82756f5f5f66de46d4402a83fe0fa0ccdc0a96
SHA256

48262847ce76b06634e13f24a48c29437340eace2314029474d0960ab09cdc26
SHA512

d1f8ae747100656b49cde6e604f800ab9e07ec95cd4efbf17eca6a991869d2361ab5ec5e7b86bd5f05fba8a9e40c46ec0a2f5baccb2bff739f0506bb31cd9a1c
SSDEEP

12288:yy2o1+WuinLldke+FwxZQI+d3Rf1c8m0Sn:zh+SLHke+Fw4BFSn

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://chizzyworld.eu/dramaboi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  643370808d5a76f4e803d02e59abd0db_JaffaCakes118
- Size
  
  542KB
- MD5
  
  643370808d5a76f4e803d02e59abd0db
- SHA1
  
  1b82756f5f5f66de46d4402a83fe0fa0ccdc0a96
- SHA256
  
  48262847ce76b06634e13f24a48c29437340eace2314029474d0960ab09cdc26
- SHA512
  
  d1f8ae747100656b49cde6e604f800ab9e07ec95cd4efbf17eca6a991869d2361ab5ec5e7b86bd5f05fba8a9e40c46ec0a2f5baccb2bff739f0506bb31cd9a1c
- SSDEEP
  
  12288:yy2o1+WuinLldke+FwxZQI+d3Rf1c8m0Sn:zh+SLHke+Fw4BFSn
Score

10^/10

lokibot collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan