lokibot | 342a7423816355a284fa4e6d361903464361c8e76e87b653705a6797091bab80 | Triage

Sharing

General

Target

342a7423816355a284fa4e6d361903464361c8e76e87b653705a6797091bab80.exe
Size

555KB
Sample

240604-skb6qsbb6s
MD5

70ff702780f5263f3277160c3982ebf9
SHA1

5faa208e76d11c9f5fc11c90ec285b9f5b55a4d6
SHA256

342a7423816355a284fa4e6d361903464361c8e76e87b653705a6797091bab80
SHA512

46e38bf4c4dbc36be27505753d8b420be5568f3410fe8719864abe53280f57abc76b24427839ee4beb3d1a770716c3d75c65009c52126a4a2e26f178dc0c9450
SSDEEP

12288:J9Kt/rFfa/7eQj8dnwl+hZZ1jj1hjOZq9rYrrB/Y0vQ:PKN5i/9wwYr5h649srrBLo

Score

10^/10

lokibot collection execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/d1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  342a7423816355a284fa4e6d361903464361c8e76e87b653705a6797091bab80.exe
- Size
  
  555KB
- MD5
  
  70ff702780f5263f3277160c3982ebf9
- SHA1
  
  5faa208e76d11c9f5fc11c90ec285b9f5b55a4d6
- SHA256
  
  342a7423816355a284fa4e6d361903464361c8e76e87b653705a6797091bab80
- SHA512
  
  46e38bf4c4dbc36be27505753d8b420be5568f3410fe8719864abe53280f57abc76b24427839ee4beb3d1a770716c3d75c65009c52126a4a2e26f178dc0c9450
- SSDEEP
  
  12288:J9Kt/rFfa/7eQj8dnwl+hZZ1jj1hjOZq9rYrrB/Y0vQ:PKN5i/9wwYr5h649srrBLo
Score

10^/10

lokibot collection execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

lokibotcollectionexecutionspywarestealertrojan