lokibot | d88fb0be58aa3bc16503e4c898115d6a21c06337d6741f5f5d337f32533fad37 | Triage

Submit
Reports

Overview

overview

Static

static

1

megerosites.cmd

windows7-x64

7

megerosites.cmd

windows10-2004-x64

Sharing

General

Target

megerősítés.tar
Size

856KB
Sample

240715-pn13gs1dnl
MD5

64fbeca8bc0e05e237c3612ac3998ac9
SHA1

31eda0b12a75ae4933d941040fe2e8253ed45977
SHA256

d88fb0be58aa3bc16503e4c898115d6a21c06337d6741f5f5d337f32533fad37
SHA512

a0a5ce5ad3ba91cb099a45a971ec26b8c33b962d96b19a073ef909de60719483e84ef9ac46f16f0bac6c198420411165a475a0ddf3cdf29c62244f858d292d8d
SSDEEP

24576:7zcTpDbffMYx3hg+S0L7gtigq3rxGmwtT3XllG:ncTNbfEcnL7YigqbrqXG

Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

megerosites.cmd

Resource

win7-20240705-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

megerosites.cmd

Resource

win10v2004-20240709-en

lokibot modiloader collection persistence spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  megerosites.cmd
- Size
  
  3.1MB
- MD5
  
  a7ecf2d80475a31c10bfdddd8c060548
- SHA1
  
  f2b81ba9aa32b39fa41558f67d2627ab3da72f29
- SHA256
  
  6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc
- SHA512
  
  64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5
- SSDEEP
  
  24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR
Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lokibotmodiloadercollectionpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy