lokibot | e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70 | Triage

Sharing

General

Target

cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118
Size

460KB
Sample

240830-vezqyswajn
MD5

cb41ab7f417be462a34754b5f862cbf6
SHA1

d03c1f82c582d9824b06d284225785432e976057
SHA256

e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70
SHA512

668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6
SSDEEP

12288:3dp0NlFrPFxVB/H4RZFrmtdlEm9Ojz15eL:j0NlFrPFxVB/H4RZFrmvlEmEjS

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://corpcougar.in/jayy/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  cb41ab7f417be462a34754b5f862cbf6_JaffaCakes118
- Size
  
  460KB
- MD5
  
  cb41ab7f417be462a34754b5f862cbf6
- SHA1
  
  d03c1f82c582d9824b06d284225785432e976057
- SHA256
  
  e8be8e650e523ee3d17a389b2346bef51a7a83f6db16306f1d09456aea5dbe70
- SHA512
  
  668403a2856073173a95787c63adb9c435494dab41be0c3d04ab3386474182b3cd2e1f1397046b82203b88cd1c8ec004b6a8b3df89aa437f62f5738024d7a9b6
- SSDEEP
  
  12288:3dp0NlFrPFxVB/H4RZFrmtdlEm9Ojz15eL:j0NlFrPFxVB/H4RZFrmvlEmEjS
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan