lokibot | 640eda196b67a6222585e599e35ae69042b3d2e8128e4b115a2670b6249b8412 | Triage

Sharing

General

Target

cfd67cb1024bd319d2b796f5bcf797b8_JaffaCakes118
Size

336KB
Sample

240906-srdyxatckl
MD5

cfd67cb1024bd319d2b796f5bcf797b8
SHA1

5407c55640fa513e5d12c1c6c24ab70ff70df9d3
SHA256

640eda196b67a6222585e599e35ae69042b3d2e8128e4b115a2670b6249b8412
SHA512

dbbf33c7e7de077a2e29c2e0808aa8b51cdfd63f452c586bb5e8456bad7aa2d3f2efb9f27ba6a67625b5f3a7afd0488afd7d29d70f971adc561e0bbf9061b75e
SSDEEP

6144:fEvxM0+13uXHGg5aTeWp6PyUMz9RARogjq1JWuf7JjuPZqe3/MM6bvS:sviN13uXb5GeW3z9em1JJ5EjMM6O

Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://casafacilsj.com.br/fc/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  invoice.exe
- Size
  
  685KB
- MD5
  
  80bd19737639a4c0b961d4ec63982b9c
- SHA1
  
  3f978eb8c0f255dd69ce34b722ef76a2ed665684
- SHA256
  
  b1461b8757b501821aa3d3febe40b768a68a603b78db723b055bffc5f7566b5c
- SHA512
  
  2f3a665c0d6338dad316645af6e3016843fd432c42c23c03f74f207de5e9fedb0032af3683927b105c8ca7c2d71e2ad52ffeb62caf915a016ae27acb56a809b1
- SSDEEP
  
  6144:pSFMxo0+17uzHGg5oT4M56PysMz9R2RoyjqXJWujJJjiPtqe3grjv:pSyqN17uzb5I4Mzz9gSXJD5oo
Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan