lokibot | 4b9e64c6e0cb28b241242f4b659a42956d00d2b4ddd1793486fa478c81dd0ca9 | Triage

Sharing

General

Target

5904ec8848e4305a3b30faf7a69c61b9_JaffaCakes118
Size

291KB
Sample

240729-xc25eatgkq
MD5

5904ec8848e4305a3b30faf7a69c61b9
SHA1

84939d454d3c6bdeff97b2f7ff73b036e1783c81
SHA256

4b9e64c6e0cb28b241242f4b659a42956d00d2b4ddd1793486fa478c81dd0ca9
SHA512

bf05ebb6244919bd896ad90087aaed2a907c6d7ddaa796757c1102859ccc186514024f7a07bc0e7d0e17ce44a59d66c647879f1a7f1ab3812a031f87ff8c1812
SSDEEP

6144:LtH30+B2pin6XBArf2/8kQwC5UyPyLN3hilIHPGhtrz+ihJD:LG+BMuf88kxCVa5RoIYlzV

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://195.69.140.147/.op/cr.php/n6RgdJQ4XDaGY

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  eInvoicing_pdf.exe
- Size
  
  675KB
- MD5
  
  2b263636706fe618e7dc41e611ad9493
- SHA1
  
  21f2f6db2f81135ed00aa3e2549ab401ef571f8b
- SHA256
  
  a70bba83ae2d498368562988a73c7a24018d6e81235b7282146607f0e20a89c3
- SHA512
  
  3b29e38febc0cab219f2864f68300cea2dc38986fe8ae280f2da69c19b7f22b45962b510dabe019d3baea421a1262e0903eefb42ea7abcc0e783e2ce994a9d49
- SSDEEP
  
  12288:z52W/RxLftGwLk0kZSLQhxoIzbDt9VjW:zUWJxjpLkZZSEhp3VjW
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan