lokibot | 83761885d25f6efebd14c2b5e26965961fc59896c45a3fff0c1abf555e7b3482 | Triage

Sharing

General

Target

proform invoice.exe
Size

562KB
Sample

240529-eegx5sad38
MD5

b0d8e1c1627e947fc3d0566b856a02c6
SHA1

fc25210ae92295d0b22accffaf767b0c4354f5de
SHA256

83761885d25f6efebd14c2b5e26965961fc59896c45a3fff0c1abf555e7b3482
SHA512

6ae235f56e138fa072dda60a41d37c7e995d45eb69338aa0c4088d49793e1f121813940b69015b779d4b0bb49d9abb24440881b282cb28f65019c164fbd729bf
SSDEEP

12288:I2iKVTc8dJS4VH3bBvFEdh5OlZ77mi3Wa/UAF9VUkXMY:73cqScXtN0qBHWa/UAFTUkXM

Score

10^/10

lokibot collection execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  proform invoice.exe
- Size
  
  562KB
- MD5
  
  b0d8e1c1627e947fc3d0566b856a02c6
- SHA1
  
  fc25210ae92295d0b22accffaf767b0c4354f5de
- SHA256
  
  83761885d25f6efebd14c2b5e26965961fc59896c45a3fff0c1abf555e7b3482
- SHA512
  
  6ae235f56e138fa072dda60a41d37c7e995d45eb69338aa0c4088d49793e1f121813940b69015b779d4b0bb49d9abb24440881b282cb28f65019c164fbd729bf
- SSDEEP
  
  12288:I2iKVTc8dJS4VH3bBvFEdh5OlZ77mi3Wa/UAF9VUkXMY:73cqScXtN0qBHWa/UAFTUkXM
Score

10^/10

lokibot collection execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

lokibotcollectionexecutionspywarestealertrojan