lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

c459a2c1c5630b36403ce0506a029fa5_JaffaCakes118
Size

273KB
Sample

240827-e4bsesvcpn
MD5

c459a2c1c5630b36403ce0506a029fa5
SHA1

c2a85db65a7607c05808b144f401d7e8cf214508
SHA256

13d145b208632cea1403101859df2ef53a276a740b8efa11e04fefaf1a14027b
SHA512

a968d04a1f7a66e49628407e7e0df3016ad168c888b7e55900a2533feadbd1f9d152a36ec2719dd6d7184ddb552c4ab56980b4c8d89ffc2d2f845ab3a1c0233b
SSDEEP

6144:Y4vvDyT0oKoX6UFk4XRUAYF5giA0d+XFiuvcXc/ComCUCzC0zF:voKK9Fk4BUAyg10dE0c/CosCzC0p

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://modevin.ga/~zadmin/lmark/frega/mode.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  INQUIRY 200609-07_06_2020.exe
- Size
  
  293KB
- MD5
  
  1ed0376892edb0aca1e2b1c07ebb7830
- SHA1
  
  79c5bea6346caafff580f21e0db8d14e288a4fc2
- SHA256
  
  c9365a9c17d0b389e953ec604f7a12efb4555f35fe74d8ff99d181e252894a63
- SHA512
  
  390cdc119fc0d58448a4a4e78f29cc13c35b772a0e0b72b67d62e9f6ede627f3aa2c6919c19f53da4834e2c2c3876a2b97f026536f9d668168a58f7cd4722852
- SSDEEP
  
  6144:HPCganNbIJ9Zw715R0W25/WQsF+CnfZMhLu8lF90AaamNAsu70unL9XTbnyokkuV:dan52YrR0W21Wd+CfeMAnwNkXnyoNuum
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  $APPDATA/simpleLogin/ear/AvVsPkDH.dll
- Size
  
  26KB
- MD5
  
  dcb503b44bfe005df85e08a645e7c1e3
- SHA1
  
  30e1cf630147d901c792049b1902885b4ffe0af8
- SHA256
  
  28b451525a9122e07d3925643c432fb5b6625919d2ce172a65f79eae64c3aa9f
- SHA512
  
  9bba86c81d55e6bf200a73c1233d806b57f6049aa30d17d5ad0cf6ce32a6e28581148b61c6f6f88c212346fa2d6cbcacabfd88e724ff6ceb40637f719f2e6c5e
- SSDEEP
  
  384:UCjkl0Ke5XN3XEUwBxGTKyP5IULV7pTuWECTE9W8S9UkOWKrhmdTXcpddWBK2yW4:UCjGe5dE2KkrxVTPTeFS9UkOWqmdTp
Score

1^/10
behavioral3 behavioral4
- Target
  
  $APPDATA/simpleLogin/ear/jbimpui.dll
- Size
  
  12KB
- MD5
  
  e3506368b06754e2cc27e29a1f2d3f8c
- SHA1
  
  207d3945c93b499e7e5c28d406a9aa5465880da4
- SHA256
  
  a8a39f536e1322929195fa6fd8f6f3fa1225898cb11165479acaeae4349ada62
- SHA512
  
  8c437e63b81826e673e30f44f0b23f6fa79b5dd1622dbc08d134c472fe821eecc07a48f1e944cd8f8b18cd2135e7379b9c1962d853b2374c4f77dadaf017a829
- SSDEEP
  
  96:1REWQ8NNbW/AGcydg0IDg6beRJhexnDDQJ00B84iJT7JbzBkAIeVAWDBfkKhY76q:wWbNNbW/KlIlUkZ6wIUW
Score

1^/10
behavioral5 behavioral6
- Target
  
  $APPDATA/simpleLogin/ear/resToResX.exe
- Size
  
  38KB
- MD5
  
  8952521941dbe005a4ac2fe8a88aba2c
- SHA1
  
  b5114de8c2e78d72ec8ddb6ab7bcb02b1bb5291f
- SHA256
  
  3a530aacf477d005147c3b3a782b96a7c9a8a17a0a3e163be255ca8a133ea430
- SHA512
  
  a79f7bd27370578be53e1ff46dbe52fc95c153c7213ad9ca5d2206c3d6e8ad315bb98058ad8d806aa33affc1c22c9784ba73b2e7da20b36dd77421f85a90d0ba
- SSDEEP
  
  384:J1rc09Z2gN3uUXCKDWK93bZ3Jd0Oi9jqUOJesaxdu/+lW8wWhLCcMe/oTC4:H12jUXCH4rSqFCbU+17L3d/o+4
Score

1^/10
behavioral7 behavioral8
- Target
  
  $APPDATA/speakers/manifest/74.opends60.dll
- Size
  
  47B
- MD5
  
  4984eb04c8300f18b3cc077c0b589c9c
- SHA1
  
  b23c5002ea5d690740f3bd6df8a799dca6a2ca1f
- SHA256
  
  d2b3069fb7c0fdfae1f1ac228c38be695f6b3155d00ae20c30acdddc39c31ace
- SHA512
  
  400c423f22a378589f4cc227a030626f408ad24d40ae524eaf3bb4119a427ce968f112100e6c1d7b807f1ac7db67fb6a1325d899c75889b2b80f7073da999324
Score

1^/10
behavioral10 behavioral9
- Target
  
  $APPDATA/speakers/manifest/edbgcl.dll
- Size
  
  28KB
- MD5
  
  82645c2a2cb19c465c1d57e561d022b8
- SHA1
  
  ce21a234c6821b0aea12cf3b5cb1b3fcdc5b8ec7
- SHA256
  
  a071c2d03d3f9fc282c49e98758e012b9f8c0675b00b7d3589e4f20a98e2a950
- SHA512
  
  204f7c543eb2b8b6a983d39a07722f4fbbc7f60af082ce0c6a90f31c44b920115b1534bcdf3b14e3216af0894ec4ad974f24874a1f28716a98b0443064fa4d1a
- SSDEEP
  
  768:otC6PwhUl8ADS6lTCo1kjWUnFXz8h1rV:otCOXl8Ihu8kjW6K1rV
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $PLUGINSDIR/advsplash.dll
- Size
  
  5KB
- MD5
  
  3536302baf9f0a47cd5f9c0a5caf5bdd
- SHA1
  
  d6f2a6267724a122a10fc41c12cef2f69a3c1987
- SHA256
  
  b1ef42f722254532953051d08e6763fd1d9087441b2c58c268ffc71a37bbfcdd
- SHA512
  
  8d5ce29225ced31c7352f280ca7667703ce3337ba10a73a8fe398bcd43ab742fbd78123a5665babddb2a43cc564262c9e64de8c86cd46900e6c7bc9194f68ef0
- SSDEEP
  
  96:HqNXqwK188CgAtXvZBkjDf0yf9ysrtWpThwol:HAqrg1XvZB6kYtWpt
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $TEMP/Barracoon.dll
- Size
  
  16KB
- MD5
  
  78b9abbf79ea11a22c73107e63924bf7
- SHA1
  
  022e05bc47a33b20eeaf541d72b915187cc0702c
- SHA256
  
  5a3c55f4e99aed79b58cfc985661f0d055b3ddb759c96757724407d7435278b4
- SHA512
  
  aec84bbb46e93d149e955a7753bd9b138f1aa93e347f04ef6ec7bb78b999446265ec20fe555b0d1d16c959551019eea7b69b6dc75c2060605115327210a6b879
- SSDEEP
  
  192:WyqDoJe27ORNBXzXwTR1muELYWgHASgHASgHArHxvkZVk8e3zQeJuS2OkAda3nau:WvoJe2KRHXDgmueYUoorHxwVPeW6V+O
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  $TEMP/alumni_reunions/calendars/retail/52.opends60.dll
- Size
  
  48B
- MD5
  
  2c113f0eada02c58621b12aa16cf85c9
- SHA1
  
  a7a8b1b971c2765befdb16ee2b6043dd2dc155db
- SHA256
  
  8935bcf2c389ffdfa7bd3eccc2af92dd8092f11f8845d95f16e61f7393edf86b
- SHA512
  
  696b7699f1e57538549f9715be516ee101642c2d109d87cc0033f174c2151a1b4fafb00d881650f4e8947ce09565f6431092f67464812cbee43a18cf5a893285
Score

1^/10
behavioral17 behavioral18
- Target
  
  $TEMP/alumni_reunions/calendars/retail/MicrosoftXslDebugProxy.exe
- Size
  
  36KB
- MD5
  
  6ad1c32675ecd48f15535e4a0e474e28
- SHA1
  
  2d9b200ea1d9fb6442f21bb5441072bd4b9d1968
- SHA256
  
  46b1a81f5ebb43404ac7229d14593d5f47930c8fc3fb5279ac5402507f7ea7b3
- SHA512
  
  8a425760aa2e7bbe286b2322d2413eaee42d7e386448050c46f61c461481407800ed2b5bd19beee77dd74fcb30e496d36c303d0845e1ee138babf6f483da1659
- SSDEEP
  
  384:EW2BCQspyJi6d0XsNGIEP/06V78FIISqa4ld2Cxs+NHsRo8CWewMW:fBqJbS8N7IIlaAs+NHsKe
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  $TEMP/alumni_reunions/calendars/retail/VsLogP.dll
- Size
  
  6KB
- MD5
  
  42741f3de52a793918627eacbf6a45ca
- SHA1
  
  31310a08b370b8e56445791d93b6bf87464e808d
- SHA256
  
  0e269d428ecc49125bd2ff997a659c47d6b8124d38e1d9102d08e98f64055e85
- SHA512
  
  0143fab89d72cf3acea003ac418702dcc8ef3d9788396b7c6d797854904f21b1b024f5d9304346c9e8a1ae23fad25f69b3e01570984f50fdedc47967618c5c2a
- SSDEEP
  
  96:UteThBZRibjkt3sb8z6AC+AqAEWrZAdxWPV0:UteTXZRjt3sQzBAq5Wr+dxWN0
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  $TEMP/alumni_reunions/calendars/retail/almap.dll
- Size
  
  16KB
- MD5
  
  595f376cfd0583882f67f3bf16d88760
- SHA1
  
  699784474329d2f548a869fdd6211ffc5b7316cc
- SHA256
  
  154c99a265cff2e12f151d77d561f5a80b11c8227dcfc61cad0fbf1fb66d35b5
- SHA512
  
  fc0eaade59dbf155cb96a1750e849a78a2b59e74045ba729216835788f1de3b1690c467fe871fc5eda6ca59007dbec3ea43e8dd987786a4a355dd88a6aeb3ffb
- SSDEEP
  
  384:8qUuKJpjw9YxO9FJUuDq9j8tCqYqOO//ur/J5J+Of4o3VghRGA:8qUuKJpjwWO9FJUuDqigqYqOO//ur/JU
Score

1^/10
behavioral23 behavioral24
- Target
  
  $TEMP/map/clickheat/documents/74.opends60.dll
- Size
  
  47B
- MD5
  
  4984eb04c8300f18b3cc077c0b589c9c
- SHA1
  
  b23c5002ea5d690740f3bd6df8a799dca6a2ca1f
- SHA256
  
  d2b3069fb7c0fdfae1f1ac228c38be695f6b3155d00ae20c30acdddc39c31ace
- SHA512
  
  400c423f22a378589f4cc227a030626f408ad24d40ae524eaf3bb4119a427ce968f112100e6c1d7b807f1ac7db67fb6a1325d899c75889b2b80f7073da999324
Score

1^/10
behavioral25 behavioral26
- Target
  
  $TEMP/map/clickheat/documents/msisip.dll
- Size
  
  15KB
- MD5
  
  da23a12845607133acf1db3502d4e575
- SHA1
  
  3808f3a44ffb3b2bdb7a5e57c650b0a96cd52b5f
- SHA256
  
  cacbc2940693d704d489f90015d24a01ec509b426bd96febc1852131a53977b8
- SHA512
  
  8b0d6a3598d4bb6b4dd061d6ad1c56c1dc8fcad5047e5c484c9b85a9698e52029cd0d873dbe8c74bcb53e6d61750fbb616f1c9e6f8ecebb82367d9e73a14ba1b
- SSDEEP
  
  192:tF8MmFDXLSPZdLzAfbkKIcY7HvqAdsiLuvRzJhaSjocS0xY0Yrk26Ab8WQn:tqvFDXmPZN+/IcY7HyniCRa4IIYvGWQ
Score

8^/10

discovery
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
behavioral27 behavioral28
- Target
  
  $TEMP/referral/msvcrt80.dll
- Size
  
  38KB
- MD5
  
  cdce62bd68cfd6b3bee664e32453708a
- SHA1
  
  0315c77484f4f28c8e17c05ee20695dcd6001ce2
- SHA256
  
  19f4c2ffc874646f4f290a4255cba805e597d4569684d0537591588fea2f1962
- SHA512
  
  0e7aaa37a89f6bbe857112e749860e604573ec6473ae4b6232781b7580659376b22c40395ff302049f4764f85ed2dfc88a5268b5896288da4f3e9b53a17a00dc
- SSDEEP
  
  768:Jq8q7Y4Y4Y4d+pfeC5Z8U1l0TOu6OXQ+c+jiut+vSL3uBsP:Jq9dqfZ5Z8U10cA5QaGsP
Score

1^/10
behavioral29 behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Manipulates Digital Signatures

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30