lokibot | df72fc36385e126949ac79802518d9aa8c2fc72c80fd70e6ed50f4484e1b8b53 | Triage

Sharing

General

Target

7526736bf28f79f6ba947cc03c6fcd50_JaffaCakes118
Size

411KB
Sample

240526-l9vwtaeg5y
MD5

7526736bf28f79f6ba947cc03c6fcd50
SHA1

7dd2bd7e2008e38358fa2a0e9f398faf41ce97d1
SHA256

df72fc36385e126949ac79802518d9aa8c2fc72c80fd70e6ed50f4484e1b8b53
SHA512

e4a6d540962871b765de219552b3bdf3c9a8c5c2d775fe50d032971fa4cb8988ee4ce418570eb4b7188ad2643862e6d8d745f98d2d677dab6576114bc5e0713f
SSDEEP

6144:6teU5EzqJeWFgwvLkIeRykKnH3wgHz8mZX2p0apdWUUGkPquTuxkOcyr:AexOJeWuIe4L3w6rl2H3cqYux

Score

10^/10

lokibot collection persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://abscete.info/hero/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  7526736bf28f79f6ba947cc03c6fcd50_JaffaCakes118
- Size
  
  411KB
- MD5
  
  7526736bf28f79f6ba947cc03c6fcd50
- SHA1
  
  7dd2bd7e2008e38358fa2a0e9f398faf41ce97d1
- SHA256
  
  df72fc36385e126949ac79802518d9aa8c2fc72c80fd70e6ed50f4484e1b8b53
- SHA512
  
  e4a6d540962871b765de219552b3bdf3c9a8c5c2d775fe50d032971fa4cb8988ee4ce418570eb4b7188ad2643862e6d8d745f98d2d677dab6576114bc5e0713f
- SSDEEP
  
  6144:6teU5EzqJeWFgwvLkIeRykKnH3wgHz8mZX2p0apdWUUGkPquTuxkOcyr:AexOJeWuIe4L3w6rl2H3cqYux
Score

10^/10

lokibot collection persistence spyware stealer trojan upx
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojanupx

behavioral2

lokibotcollectionpersistencespywarestealertrojanupx