lokibot | a184059271aff49d1f7d1aaac736b6aef54e37ef406e1c84e0fd6d396f5dcade | Triage

Sharing

General

Target

07082024_0701_order list.tar
Size

254KB
Sample

240807-htem4stgqm
MD5

e19e70df4fa24a2308785f523562e7e2
SHA1

8c265e4b6fb9703d1b5ecd998644412717a3868f
SHA256

a184059271aff49d1f7d1aaac736b6aef54e37ef406e1c84e0fd6d396f5dcade
SHA512

3e22de99fa43d51ff469a790e248a1b59966e74a2935ff00eb399af9715bc3ddc624de57544aff8f25eff43a445a1814b3227b75c38e0ad9e72cb2f593075d0e
SSDEEP

3072:F+9uCdCIHHO6nnP+D9ghtlMv4Oh6sXxJYU82jFlnW2STRj7E+kzBCPzma7D8eN:YNdCIOh6hGh6+H8eqTRXEuSg8e

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://stema-it.cfd/Lchost/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  order list.vbe
- Size
  
  252KB
- MD5
  
  75209b09f178292acb5ac49cec8d40c8
- SHA1
  
  7d7c4736193d6cc4e1ea14e9d1af1147213063c7
- SHA256
  
  5cd0309940263f1efb9cb40b050196317a404915ec2c05ed94df0224fd13bcd5
- SHA512
  
  68db97b7d93422866aa37b38e05290c00b6d4171df60d71821fe0dbe7aafd50a38046b5ccd81b4550ee02ad9713967f61f3bd1a1a99f422732324198c6ae7bae
- SSDEEP
  
  3072:b+9uCdCIHHO6nnP+D9ghtlMv4Oh6sXxJYU82jFlnW2STRj7E+kzBCPzma7D8eNQ:WNdCIOh6hGh6+H8eqTRXEuSg8ei
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan