lokibot | 20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc | Triage

Submit
Reports

Overview

overview

Static

static

1

Potrditev.cmd

windows7-x64

7

Potrditev.cmd

windows10-2004-x64

Sharing

General

Target

Potrditev.cmd
Size

2.8MB
Sample

240718-mlds3axglf
MD5

306e6e3743666b8f5fedb0127b041883
SHA1

53ac1756ee69296be5f5c99ee18b1d1cb70369d4
SHA256

20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
SHA512

233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
SSDEEP

24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B

Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Potrditev.cmd

Resource

win7-20240705-en

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

Potrditev.cmd

Resource

win10v2004-20240709-en

lokibot modiloader collection persistence spyware stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Potrditev.cmd
- Size
  
  2.8MB
- MD5
  
  306e6e3743666b8f5fedb0127b041883
- SHA1
  
  53ac1756ee69296be5f5c99ee18b1d1cb70369d4
- SHA256
  
  20a156c7ad57c2c78a63e7f8d318d2bbba7e0d94186f92ef469aed643e1bf5cc
- SHA512
  
  233d9861fe624b707fe4b89435cf27f1216006e97b97374fa159574d63ca6db351fc2cba454554c82d210ca6f8a4f8be383c6723eab0a54ac1a2e984317804c1
- SSDEEP
  
  24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrQf3m29Yqk:Rr0jYNi8DrApkpUNLgVDzNVpeIh/c2B
Score

10^/10

lokibot modiloader collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

lokibotmodiloadercollectionpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy