lokibot

General

Target

6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.zip
Size

972KB
Sample

240725-vk8wtasgqm
MD5

04f621af589d669e9bf400821e833e8e
SHA1

cbab48ce00eefa42c69fd5dd839e7d4f6d9bbc85
SHA256

73ef345268cb43f47baeb7ba75d7b08d8fd61aeef25dd65e908cf723ab4e43b7
SHA512

415dbad497ae572d4c7b423b47b42327cf8abb1be8f7f87dae9f66e154e6b0c2792a46e42b868eb76e1d7e81eda8b8ad232100ac07ec9d8fa4071b5223918f4e
SSDEEP

24576:v77Y1DyzsjOfD+6J3MdO584jqh8t6VPxUS47p+v:v7c3afi6JXjqat6DEq

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/modify.php?edit=1

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc.cmd
- Size
  
  3.1MB
- MD5
  
  a7ecf2d80475a31c10bfdddd8c060548
- SHA1
  
  f2b81ba9aa32b39fa41558f67d2627ab3da72f29
- SHA256
  
  6a3e2eecb7f7f464c57a7159570d2d55c6893839be852af898089550265f5dfc
- SHA512
  
  64b26683677f636eaf632f11d3f9d6d7502ab17a3b102fffc66c846b53d017f2dd09c5e42bbaa7e3d07a7a98f26909cccb41a746ba520a3a9b9dce43bf7a55a5
- SSDEEP
  
  24576:eIQFfxaplqwu8YYDEWRRm0Dxb3n7o3quNeHt2T6IPGKhCNwPmOyEC5p+gP3m0nlL:eIq5a/h5YYDEcRm0D53UYHQ6hcm5ECR
Score

10^/10

discovery lokibot modiloader collection credential_access persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- ModiLoader Second Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2