lokibot | 1251e556fd7af5f92ba248b630393034278d7ee4fb0a7732593e0b3bcae0189a | Triage

Sharing

General

Target

8337d48e68802bf418a2e00283ab1914_JaffaCakes118
Size

297KB
Sample

240802-f8qb2stbrb
MD5

8337d48e68802bf418a2e00283ab1914
SHA1

a4b29f419c3f1cca7aee24cff1ebb10416c18695
SHA256

1251e556fd7af5f92ba248b630393034278d7ee4fb0a7732593e0b3bcae0189a
SHA512

a7f067177bc7caa805b3ccfbbe24dd78c1640581788eacf838ff8b4929e176884f1b9914c172b92099bbc50896eb33b496cfe3d5bd49ec7cee3f6a07239b423b
SSDEEP

6144:9zqg9R2sG9BfheFZemiJ2C4DVth4cLUvjj0hTt/9:9mQR1HFZemjRth4MwjApZ9

Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://lokipanelhostingpanel.gq/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  8337d48e68802bf418a2e00283ab1914_JaffaCakes118
- Size
  
  297KB
- MD5
  
  8337d48e68802bf418a2e00283ab1914
- SHA1
  
  a4b29f419c3f1cca7aee24cff1ebb10416c18695
- SHA256
  
  1251e556fd7af5f92ba248b630393034278d7ee4fb0a7732593e0b3bcae0189a
- SHA512
  
  a7f067177bc7caa805b3ccfbbe24dd78c1640581788eacf838ff8b4929e176884f1b9914c172b92099bbc50896eb33b496cfe3d5bd49ec7cee3f6a07239b423b
- SSDEEP
  
  6144:9zqg9R2sG9BfheFZemiJ2C4DVth4cLUvjj0hTt/9:9mQR1HFZemjRth4MwjApZ9
Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies WinLogon for persistence
  persistence
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan