lokibot | 7e029d00984fd057dae91a0f119a2da5e075b1248b8301da18221c6321b80860 | Triage

Sharing

General

Target

6aa6e41943359e34eaeb911754bf949a_JaffaCakes118
Size

2.0MB
Sample

240523-mk249sdc4v
MD5

6aa6e41943359e34eaeb911754bf949a
SHA1

d3ecddacf13d85979fec24ec73f9436486efb530
SHA256

7e029d00984fd057dae91a0f119a2da5e075b1248b8301da18221c6321b80860
SHA512

e01b34de85fda6580f89cb1e2beddbefe60209338ea6a8f99d213e110854791706c9303b27fced00ebf27a191c86ed78345777869536f000e56ec1be367595d8
SSDEEP

49152:++AaIAgFJN6SYiU3We+i62Kzkmq/f+0iwWyXvJHBA:UaC12iU3WAA5D0Jv9

Score

10^/10

lokibot collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://quakelz.xyz/fonts/plexis/amaya/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  6aa6e41943359e34eaeb911754bf949a_JaffaCakes118
- Size
  
  2.0MB
- MD5
  
  6aa6e41943359e34eaeb911754bf949a
- SHA1
  
  d3ecddacf13d85979fec24ec73f9436486efb530
- SHA256
  
  7e029d00984fd057dae91a0f119a2da5e075b1248b8301da18221c6321b80860
- SHA512
  
  e01b34de85fda6580f89cb1e2beddbefe60209338ea6a8f99d213e110854791706c9303b27fced00ebf27a191c86ed78345777869536f000e56ec1be367595d8
- SSDEEP
  
  49152:++AaIAgFJN6SYiU3We+i62Kzkmq/f+0iwWyXvJHBA:UaC12iU3WAA5D0Jv9
Score

10^/10

lokibot collection evasion persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionpersistencespywarestealertrojan

behavioral2

lokibotcollectionevasionpersistencespywarestealertrojan