lokibot | 425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb | Triage

Submit
Reports

Overview

overview

Static

static

1

425ef5b31a...b.docx

windows7-x64

425ef5b31a...b.docx

windows10-2004-x64

1

Sharing

General

Target

425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.doc
Size

16KB
Sample

240610-k7crsaff53
MD5

58fa856ae520dc6c6e47f4b459e2de5b
SHA1

89c76a3bcb6a83cb1b343f5ea03cfc2da2214e97
SHA256

425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb
SHA512

9f7f17693948a76f679bc076464e4c71408a3dc6a31b14861eed0fe987032ef9a1402c34ab8905aa31d3e373c4f50ac5148a121ca3e4498cb7fd31786318acd3
SSDEEP

384:IyXnXK3Wgs8PL8wi4OEwH8TIbE91r2fRcJYzviML2nkPt:Icnyb5P3DOqnYJamvtL2nkF

Score

10^/10

lokibot collection execution spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.docx

Resource

win7-20240215-en

lokibot collection execution spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.docx

Resource

win10v2004-20240226-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://alphabetllc.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.doc
- Size
  
  16KB
- MD5
  
  58fa856ae520dc6c6e47f4b459e2de5b
- SHA1
  
  89c76a3bcb6a83cb1b343f5ea03cfc2da2214e97
- SHA256
  
  425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb
- SHA512
  
  9f7f17693948a76f679bc076464e4c71408a3dc6a31b14861eed0fe987032ef9a1402c34ab8905aa31d3e373c4f50ac5148a121ca3e4498cb7fd31786318acd3
- SSDEEP
  
  384:IyXnXK3Wgs8PL8wi4OEwH8TIbE91r2fRcJYzviML2nkPt:Icnyb5P3DOqnYJamvtL2nkF
Score

10^/10

lokibot collection execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

© 2018-2025

Terms | Privacy