lokibot | 2ebbc8d115ea3837f5fe4d5f6002378415e32f146ae35bc71b662fcf391f8213 | Triage

Sharing

General

Target

8ef9263179009f78b0304f7727300199_JaffaCakes118
Size

308KB
Sample

240602-wwk5kaad2y
MD5

8ef9263179009f78b0304f7727300199
SHA1

b1d0d6c7afbf46fcb45b4d72422e21a7bd7dbb66
SHA256

2ebbc8d115ea3837f5fe4d5f6002378415e32f146ae35bc71b662fcf391f8213
SHA512

55fc476c2a1d8c4a8cc6662da34c91b0a1ec17d02243921f69cacc8f48c3e42974539bec6c746c2970fc76375eb79e9cb57277134051a53b8c8c8109f0c1a907
SSDEEP

6144:uDj423ONTY/UyO36ChE2fyhYEkIxJtVAocSQGvlqW329CzSH:3qONU8P368lq1VAokGvlq829vH

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://www.dnacharting.com/ninja/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Proforma Invoice.exe
- Size
  
  437KB
- MD5
  
  815f71cfc9609704f70ae0fc6233054c
- SHA1
  
  9ba0f99c42519684bb756295a40570aabc7893b0
- SHA256
  
  9aa412994b497215109e55a1d2187f076bebefcef89720355cfab91513b57a2e
- SHA512
  
  6610d1b8e71a857e5a10e06c7a05f1c80d9cbe8c6655a2808db6ac8bf935a9f5d6908faa0290e19b723891d2185ca925614f5ab202e8935d31ee7732c123803f
- SSDEEP
  
  6144:SDlLOvsk/isgr5h99eJtB/H21QXQOv8Z97+X7b4X2v3fuKrBCFCsmhTWUCp0ts:oAmfbMtB/HXXQ9972b4mnHkk53Fts
Score

10^/10

lokibot collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan