lokibot | 4089c87f43570889c4bb4f7f4faf329e610618e54fe326a0f15ce48f295a55e4 | Triage

Submit
Reports

Overview

overview

Static

static

1

megerosites.cmd

windows7-x64

7

megerosites.cmd

windows10-2004-x64

Sharing

General

Target

15072024_1316_15072024_megerősítés.tar
Size

856KB
Sample

240715-qhrgjasfrr
MD5

c03b7ab1e0933d270ddee93aa5f20ba0
SHA1

1b3b594cbed3b4dad194c30d74e599c2214975a5
SHA256

4089c87f43570889c4bb4f7f4faf329e610618e54fe326a0f15ce48f295a55e4
SHA512

28b9cbb3e9a69daba510c6178e2d2aea38f34c3ab4915eb3266bc03ecdff6f0093674386357bf8eb1d68efd6aa3e8c2cf02ec6b8673c6040f2c80e7a12f44f8a
SSDEEP

24576:7zcTpDbffMYx3hg+S0L7gtigq3rxGmwtT3Xlly:ncTNbfEcnL7YigqbrqXy

Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

megerosites.cmd

Resource

win7-20240704-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

megerosites.cmd

Resource

win10v2004-20240709-en

lokibot modiloader collection persistence spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  megerosites.cmd
- Size
  
  3.1MB
- MD5
  
  a7ecf2d80475a31c10bfdddd8c060548
- SHA1
  
  f2b81ba9aa32b39fa41558f67d2627ab3da72f29
- SHA256
  
  6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc
- SHA512
  
  64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5
- SSDEEP
  
  24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR
Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lokibotmodiloadercollectionpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy