lokibot | 3df08455328e3a6d6baba03305f922e1f676bbdc33bd36a7b4cacbe7f12507d4 | Triage

Sharing

General

Target

8177fdfe86f0dc6d5baa83ee968788a1_JaffaCakes118
Size

410KB
Sample

240529-w48wlaeb34
MD5

8177fdfe86f0dc6d5baa83ee968788a1
SHA1

9d13e6ae82c2fdfc9b0a8ac25fd693efc8d76aea
SHA256

3df08455328e3a6d6baba03305f922e1f676bbdc33bd36a7b4cacbe7f12507d4
SHA512

c6661a94e2a9aba1c2e53d0a9fc373cf169da421f88e4a524434b853abdc6ef4d1e4e899b807da9ab36bbec7a6ecd992bc47f641b07ae4e04a1301a32809e216
SSDEEP

6144:QpbUwWKTRTdP0YKAuneGKxgkl4OoUXeIeLg5+kdR5uf:KUw99dR3ur+l8UXfR+kd

Score

10^/10

lokibot collection persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://abscete.info/hero/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  8177fdfe86f0dc6d5baa83ee968788a1_JaffaCakes118
- Size
  
  410KB
- MD5
  
  8177fdfe86f0dc6d5baa83ee968788a1
- SHA1
  
  9d13e6ae82c2fdfc9b0a8ac25fd693efc8d76aea
- SHA256
  
  3df08455328e3a6d6baba03305f922e1f676bbdc33bd36a7b4cacbe7f12507d4
- SHA512
  
  c6661a94e2a9aba1c2e53d0a9fc373cf169da421f88e4a524434b853abdc6ef4d1e4e899b807da9ab36bbec7a6ecd992bc47f641b07ae4e04a1301a32809e216
- SSDEEP
  
  6144:QpbUwWKTRTdP0YKAuneGKxgkl4OoUXeIeLg5+kdR5uf:KUw99dR3ur+l8UXfR+kd
Score

10^/10

lokibot collection persistence spyware stealer trojan upx
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojanupx

behavioral2

lokibotcollectionpersistencespywarestealertrojanupx