lokibot | 77f59a61da3dc720f9493da3e05a30413ac25c4b1f9772d7d6ed9e2ad499be2c | Triage

Sharing

General

Target

78fcbfa4a6114e95b22785d49a9d67ce_JaffaCakes118
Size

308KB
Sample

240527-ng7q1saf27
MD5

78fcbfa4a6114e95b22785d49a9d67ce
SHA1

bb649bd98dd5b5ec851de7952b6e12fd15a7458a
SHA256

77f59a61da3dc720f9493da3e05a30413ac25c4b1f9772d7d6ed9e2ad499be2c
SHA512

3096c2dc469abb4ab9cb0502da9dff0bea8071ecd2c06b76461fe7656bbb2dc4072b8b2b49e7209055f3e839e57124e104667dcd99152d17a04284bc99dd9914
SSDEEP

6144:rVGfDIBZIb/yx/CUaHzXbxgB5CYsKkUFSBvjeW/E0NV:wfDIIi+jbKQwk3lq2EsV

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://www.dnacharting.com/image/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  swift.exe
- Size
  
  437KB
- MD5
  
  a6acb4165bc13eb460f2d7f2538a3601
- SHA1
  
  4b8cfeaea522e2dbfc92ad9122c9f72db5cf7e7f
- SHA256
  
  e29a407c913eda93bed5f660fee36a91126f56663ed20af7d6f812fe78308bad
- SHA512
  
  ca0b785dc6d1dbc3434587e03e4fb377a65b3cb2d5fda6f2dcf570958bef04ad8fe0838ec05cdf9957c1e9a5df708b52a6430b93daf1ab0c0611aee48d13346b
- SSDEEP
  
  12288:w1hTCPL1yajbUvxwzDBXKxmfvU+AjxOX41O2:24byuzD73AjxtO
Score

10^/10

lokibot collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan