lokibot | 5b1b715cb6affcca630d5ab5e74527b2827aaec4e8c386a229c8960f4ec6b315 | Triage

Sharing

General

Target

5b1b715cb6affcca630d5ab5e74527b2827aaec4e8c386a229c8960f4ec6b315
Size

590KB
Sample

240529-kwbqcahd2v
MD5

c2d926f3300f30cedcc641396388b2f1
SHA1

41fa8e11e3a27cbc2f20d57d1fc660e8eba25a08
SHA256

5b1b715cb6affcca630d5ab5e74527b2827aaec4e8c386a229c8960f4ec6b315
SHA512

48af9407d8584840da5a3fdfcc68adb60181eed56795e99ee4556620b1cdd125884aa60133967184e0e898deb99b00cf8b8ac141c5acb692964593943b415b4b
SSDEEP

12288:Hbgn6YzXp/TYT0oUFIHF+ctfzm9fWYAwjVDgBXSn09hsZkt/kR:7fsYT8IHF9FQfWSjVD8ta

Score

10^/10

lokibot collection execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://rocheholding.top/evie3/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  5b1b715cb6affcca630d5ab5e74527b2827aaec4e8c386a229c8960f4ec6b315
- Size
  
  590KB
- MD5
  
  c2d926f3300f30cedcc641396388b2f1
- SHA1
  
  41fa8e11e3a27cbc2f20d57d1fc660e8eba25a08
- SHA256
  
  5b1b715cb6affcca630d5ab5e74527b2827aaec4e8c386a229c8960f4ec6b315
- SHA512
  
  48af9407d8584840da5a3fdfcc68adb60181eed56795e99ee4556620b1cdd125884aa60133967184e0e898deb99b00cf8b8ac141c5acb692964593943b415b4b
- SSDEEP
  
  12288:Hbgn6YzXp/TYT0oUFIHF+ctfzm9fWYAwjVDgBXSn09hsZkt/kR:7fsYT8IHF9FQfWSjVD8ta
Score

10^/10

execution lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lokibotcollectionexecutionspywarestealertrojan