lokibot | 5823b1d051f7d0aa5417ff436117cb464595d8e8269e72fb716ed64bc25d288b | Triage

Sharing

General

Target

7f9289ffc73e19d5f55d77d01ce9f78d_JaffaCakes118
Size

1.9MB
Sample

240529-fpt6wsbc6w
MD5

7f9289ffc73e19d5f55d77d01ce9f78d
SHA1

12f31b5231a0b59d2cd831eb30da5b2d49851a21
SHA256

5823b1d051f7d0aa5417ff436117cb464595d8e8269e72fb716ed64bc25d288b
SHA512

edcd0e603b6ae7787b33a8d3ce7326f7a161c850ed9045214d21dcff52f1c032e36d4a07d4d1ec5bb0a972e9c1f7aee4b39b478252e4ecae23fe32343e170e1b
SSDEEP

24576:f6aq7F1GFMy5F5nNNOdQT7CrDsGvIaakofoh8nMx4X9MA/bbQ8JFjDbbMDUAqI3k:f3F15bNNgQdGvzakofMx091FjoUqFF

Score

10^/10

lokibot collection evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://parkrosegroup.info/lewy/sun/quakes/solar/gem/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  7f9289ffc73e19d5f55d77d01ce9f78d_JaffaCakes118
- Size
  
  1.9MB
- MD5
  
  7f9289ffc73e19d5f55d77d01ce9f78d
- SHA1
  
  12f31b5231a0b59d2cd831eb30da5b2d49851a21
- SHA256
  
  5823b1d051f7d0aa5417ff436117cb464595d8e8269e72fb716ed64bc25d288b
- SHA512
  
  edcd0e603b6ae7787b33a8d3ce7326f7a161c850ed9045214d21dcff52f1c032e36d4a07d4d1ec5bb0a972e9c1f7aee4b39b478252e4ecae23fe32343e170e1b
- SSDEEP
  
  24576:f6aq7F1GFMy5F5nNNOdQT7CrDsGvIaakofoh8nMx4X9MA/bbQ8JFjDbbMDUAqI3k:f3F15bNNgQdGvzakofMx091FjoUqFF
Score

10^/10

lokibot collection evasion persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionevasionpersistencespywarestealertrojan

behavioral2

lokibotcollectionevasionpersistencespywarestealertrojan