lokibot | d1398a54275d65d1bbb0f8937e4de1263dc5293586d58d8140418c9ee162e27c | Triage

Sharing

General

Target

d13c24b61ac52b01014327c7e11c6119_JaffaCakes118
Size

730KB
Sample

240907-gq24kaybln
MD5

d13c24b61ac52b01014327c7e11c6119
SHA1

8b80950f33a46f0e343b25304ab33b3a870f93a9
SHA256

d1398a54275d65d1bbb0f8937e4de1263dc5293586d58d8140418c9ee162e27c
SHA512

176b97c3111b309b3ee293887cda863ecf6542cf72eaad2087d9eef8f4d19792b6698e986ded7b52a796f45f66cec0bdb1ed6ed37fba10b15cd5cf2942294543
SSDEEP

12288:YOqAVKVf30cuNX9Zedh7ERrW+sfJ19PPzovgso1pQfg7NvqlAxgA5UL5hc:YKAVRuNNZ87AW/fJ1V5scmGuA5UNhc

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://bibpap.com/1g7/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  d13c24b61ac52b01014327c7e11c6119_JaffaCakes118
- Size
  
  730KB
- MD5
  
  d13c24b61ac52b01014327c7e11c6119
- SHA1
  
  8b80950f33a46f0e343b25304ab33b3a870f93a9
- SHA256
  
  d1398a54275d65d1bbb0f8937e4de1263dc5293586d58d8140418c9ee162e27c
- SHA512
  
  176b97c3111b309b3ee293887cda863ecf6542cf72eaad2087d9eef8f4d19792b6698e986ded7b52a796f45f66cec0bdb1ed6ed37fba10b15cd5cf2942294543
- SSDEEP
  
  12288:YOqAVKVf30cuNX9Zedh7ERrW+sfJ19PPzovgso1pQfg7NvqlAxgA5UL5hc:YKAVRuNNZ87AW/fJ1V5scmGuA5UNhc
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan