lokibot | a987537a3eed5febba6fb3d7b560bc7df89d28d2f141dc6d0350fc67f603fc0f | Triage

Sharing

General

Target

c1b655434a04968b30dcd71b3b0a5681_JaffaCakes118
Size

904KB
Sample

240825-2a6f9sycqe
MD5

c1b655434a04968b30dcd71b3b0a5681
SHA1

bd6502f94d91ffbe844e4b5ecf391851d32ba454
SHA256

a987537a3eed5febba6fb3d7b560bc7df89d28d2f141dc6d0350fc67f603fc0f
SHA512

baebaa89bba8632c66af75fffb2019c3dfacbfcf468204e042ea56efcf8907eff9dc3d801940d281b67b1a1438c37c67bc57aff55a091a6300b98a1762171911
SSDEEP

24576:wmWWuTOO8IxotLM+ogF0Ix7y9JqH7bZhwn6zu63yo:wmiEMijHxUqXZTj

Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://djanic.duckdns.org/fashion/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  swift.exe
- Size
  
  1.0MB
- MD5
  
  1eeb57c0877a06d18aa028e87d5158b4
- SHA1
  
  d086921faba08c2600d862b680b70a53a3bfb88e
- SHA256
  
  d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3
- SHA512
  
  16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1
- SSDEEP
  
  24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw
Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan