lokibot | 0ef10dbdd0a9809fd4079bcb2419406b53a9e60e1ecb38d48fa8a6b9eb461019 | Triage

Submit
Reports

Overview

overview

Static

static

7

75235aba50...18.exe

windows7-x64

75235aba50...18.exe

windows10-2004-x64

Sharing

General

Target

75235aba5043e178ecab25e73f783678_JaffaCakes118
Size

1.6MB
Sample

240526-l68y9sef7t
MD5

75235aba5043e178ecab25e73f783678
SHA1

6ac406887d63583e4f8bf0b5174d001948cebf75
SHA256

0ef10dbdd0a9809fd4079bcb2419406b53a9e60e1ecb38d48fa8a6b9eb461019
SHA512

b5c49536c00824268950e12c17ce2d0976ac593bddf2f994e9513d565b2725a1f0d672f9cac41e33649d1cba0e89b65c0ac5449bbcdc3f659c3d643afe0d7724
SSDEEP

24576:tlWn8RZz/gMbER1dGT3OcQc+foeHi7YmJXFsoPvWZ:t/RZDgqER1dGT3OcQc+foeHE5Fso3W

Score

10^/10

lokibot agilenet collection spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

75235aba5043e178ecab25e73f783678_JaffaCakes118.exe

Resource

win7-20240508-en

lokibot agilenet collection spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

75235aba5043e178ecab25e73f783678_JaffaCakes118.exe

Resource

win10v2004-20240508-en

lokibot agilenet collection spyware stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://51.89.163.167/200/zc-b/cat.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  75235aba5043e178ecab25e73f783678_JaffaCakes118
- Size
  
  1.6MB
- MD5
  
  75235aba5043e178ecab25e73f783678
- SHA1
  
  6ac406887d63583e4f8bf0b5174d001948cebf75
- SHA256
  
  0ef10dbdd0a9809fd4079bcb2419406b53a9e60e1ecb38d48fa8a6b9eb461019
- SHA512
  
  b5c49536c00824268950e12c17ce2d0976ac593bddf2f994e9513d565b2725a1f0d672f9cac41e33649d1cba0e89b65c0ac5449bbcdc3f659c3d643afe0d7724
- SSDEEP
  
  24576:tlWn8RZz/gMbER1dGT3OcQc+foeHi7YmJXFsoPvWZ:t/RZDgqER1dGT3OcQc+foeHE5Fso3W
Score

10^/10

lokibot agilenet collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotagilenetcollectionspywarestealertrojan

behavioral2

lokibotagilenetcollectionspywarestealertrojan

© 2018-2024

Terms | Privacy