lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

a7b98846b36bcb5c93ff603820a16a78_JaffaCakes118
Size

350KB
Sample

240818-wzy6laxcjb
MD5

a7b98846b36bcb5c93ff603820a16a78
SHA1

42eafda73dff59b05a07338c869e0a102e1f3463
SHA256

4eb8bed8591422f6065c3198d6c3464b14e438f6566003997d98b81d776f02b9
SHA512

d7061fb3f7976a4bf383023821419226e0ffac92a79b3e7ff2cd6e53f9a9cdc54b45a7f1def05750b3f9cedaebabbf660149e27384d75a09da0a6eaa173ae476
SSDEEP

6144:pPCganN5KPWsaDmht+8CP6swJZ8LNJ+8tMJqgZnN9iHFUNHk4d9bYrz8RbKVox+n:nanLKesgmhkLxwJZ8LNPmZN9EZ43HaoO

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://remzclot.ga/etc/main/l09/ap0s/home.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  a7b98846b36bcb5c93ff603820a16a78_JaffaCakes118
- Size
  
  350KB
- MD5
  
  a7b98846b36bcb5c93ff603820a16a78
- SHA1
  
  42eafda73dff59b05a07338c869e0a102e1f3463
- SHA256
  
  4eb8bed8591422f6065c3198d6c3464b14e438f6566003997d98b81d776f02b9
- SHA512
  
  d7061fb3f7976a4bf383023821419226e0ffac92a79b3e7ff2cd6e53f9a9cdc54b45a7f1def05750b3f9cedaebabbf660149e27384d75a09da0a6eaa173ae476
- SSDEEP
  
  6144:pPCganN5KPWsaDmht+8CP6swJZ8LNJ+8tMJqgZnN9iHFUNHk4d9bYrz8RbKVox+n:nanLKesgmhkLxwJZ8LNPmZN9EZ43HaoO
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  $APPDATA/labels/email-a-friend/_adm/51.opends60.dll
- Size
  
  50B
- MD5
  
  81d2e779daf6490730f4ad8a4baa6647
- SHA1
  
  b8458bdd5ae0d00be7f52e1aeba25e260bc43202
- SHA256
  
  15d85f4938b80699821f491e4a98695f8aca58bce9c5868ecc392a2bd48bc408
- SHA512
  
  4513bee7d29cb72eb05a4ca95f86b6112c3af922f3fe29949682052c69f4409fdacd0e01d8d5ce69a55f34b2638e2aa9e6280e8855f235946d3628cc2149c59b
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/labels/email-a-friend/_adm/sbsiehost.dll
- Size
  
  5KB
- MD5
  
  1cf524d6a7e87af589b8d60a48eb4d2d
- SHA1
  
  b87fdd028eac75346f8be8ba43e308f575dcc2de
- SHA256
  
  22988f2381becff592dd11c42a6b680efacdefa9cd1f780742bca578505d14e1
- SHA512
  
  cc87e463d28c506da52b21031b26e85bc644c5dbba3d822c61b08d871bc57724ecd0fbabc5bab3b2f35202305c04e029beeffd4dc207aec9024cf3dd0c6ef057
- SSDEEP
  
  48:C0ytD8wh8fCfSuE4PY2k180rdoTNu+fUtZWNHWHlXPIBSsg5WWrn51m:7ytD83fC6u7g2crdONH6Wt0lPIBT0W8
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $TEMP/Stickinthemud.dll
- Size
  
  44KB
- MD5
  
  441254ab998d6ec5636622dd2b7ea539
- SHA1
  
  6e6546776316ebf8e9039107ca1bc9b32705625a
- SHA256
  
  26963ffdddd241f6d0f5d54824335afcc55705876708c238628e1fefe559f045
- SHA512
  
  02c03ec58d5baa8b7b6804b161678582e317a52a4dfec07970dc44003a93e3e3d6f1cb17714bf406096c8b0d28ed7b0828ea5f7926f88722532114df4213d6f0
- SSDEEP
  
  768:a2Cxhyh/wpK9lG3Pn+Meuh7DGnTED6xB3vyHTsU9MBacUB9G55:ixshihnnwRxEzdMUcUBM5
Score

10^/10

lokibot discovery spyware stealer trojan collection credential_access
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral7 behavioral8
- Target
  
  $TEMP/m6_invoice/50.opends60.dll
- Size
  
  53B
- MD5
  
  fef6ff21091dd47c0613d0d3877e5bc9
- SHA1
  
  da1674ed58ffcbb339c48c52bfdee85c27f2f4b9
- SHA256
  
  340892ce705602d6c93c888dccd941a3ea9195f78d56d92952bae9c9d0476a53
- SHA512
  
  d19fd56aadc1c95971c2373d8e47cfefe741066caf37cb326cbd65304dfc5f698a0381e1b882a8e53ca894b0f0908218bd1a8705ae33971aadc0e258ce14cff8
Score

1^/10
behavioral10 behavioral9
- Target
  
  $TEMP/m6_invoice/genasm.exe
- Size
  
  44KB
- MD5
  
  cea839e6bba49bf99a52b509d159e48e
- SHA1
  
  0c2b9a457a117fa1301b3df40319f3031d8fafc8
- SHA256
  
  b09d86e593968f6c4f9e03bba7a4cff9f714febe4e4fd5918fff4395ed12849a
- SHA512
  
  964db677a323fc26c62d224b771f77e5e511cb16221e4faa129f101ef8a6191e03cac4012f70faa1aec72a59a78e4733c7268d3ccf3355681633e7416ab2c437
- SSDEEP
  
  768:q+NZt3IP70NpPUyQqbkc40ZCOgOvd5Y1:qaU5xqbkn0Z4Ovd50
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $TEMP/m6_invoice/u2lsamp1.dll
- Size
  
  21KB
- MD5
  
  ccd8feed3d549bd78a2f76de4d721cd5
- SHA1
  
  5161b82635d547642afd6712196c334e92547900
- SHA256
  
  7fd9b7f2a88aae8a5adaad08b3b54e73d1bb980282538dbb2e6e54afd95ea5e3
- SHA512
  
  2e2582ce204e129efc10e845b299efd652967484ef113e3486561dfbb883c847653c61c03eeb2503378e45a24aff5d6721d6ff78ff09eeb4337c1d0323e8f269
- SSDEEP
  
  384:Y4BVub0hI8BJFsYkE+j6V3WKilfWLCcY9jBJJphf:jNFsYkE+eDmWL38TJ7
Score

3^/10

discovery
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Lokibot

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14