lokibot | 74f7256023d3638272f7eb34e10eb16aa08da56c818f2c296eb37b49dc8d7641 | Triage

Sharing

General

Target

5a289141e67254662e3de8153a65fba0N.exe
Size

510KB
Sample

240906-lthxbazbmn
MD5

5a289141e67254662e3de8153a65fba0
SHA1

4b7b5d2fd67df990bde1006f359d8f630cd97781
SHA256

74f7256023d3638272f7eb34e10eb16aa08da56c818f2c296eb37b49dc8d7641
SHA512

99ca558b34f1702c9addba9057dd4cd86258f26e3716812cbfe4e25217e3df5e9fcf98674d61a34cd9d6903489d41a34b0375d2fabb64bff2d340fbbddbb5b9a
SSDEEP

6144:t01IhC1ZueHrCqZFCoM7q47sdy1f6NJDQzbTOjHm7Af7OMgpx11H4/5dofKx/8GP:t0bfHLC9f56mym7ZZjPHKo+esTCmW+8

Score

10^/10

lokibot aspackv2 bootkit collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sbrglobal.net/looms/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  5a289141e67254662e3de8153a65fba0N.exe
- Size
  
  510KB
- MD5
  
  5a289141e67254662e3de8153a65fba0
- SHA1
  
  4b7b5d2fd67df990bde1006f359d8f630cd97781
- SHA256
  
  74f7256023d3638272f7eb34e10eb16aa08da56c818f2c296eb37b49dc8d7641
- SHA512
  
  99ca558b34f1702c9addba9057dd4cd86258f26e3716812cbfe4e25217e3df5e9fcf98674d61a34cd9d6903489d41a34b0375d2fabb64bff2d340fbbddbb5b9a
- SSDEEP
  
  6144:t01IhC1ZueHrCqZFCoM7q47sdy1f6NJDQzbTOjHm7Af7OMgpx11H4/5dofKx/8GP:t0bfHLC9f56mym7ZZjPHKo+esTCmW+8
Score

10^/10

lokibot bootkit collection credential_access discovery persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotbootkitcollectioncredential_accessdiscoverypersistencespywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan