lokibot | d2bfff4427cf46d6d8b08bba3074da2e1c75206fdac41d199c6f8499b34255de | Triage

Sharing

General

Target

ec0f4a4f41d0aeefebc1fbc51414e458_JaffaCakes118
Size

943KB
Sample

240919-yd1teawhlh
MD5

ec0f4a4f41d0aeefebc1fbc51414e458
SHA1

eea03abc0ef118d2c51239d3aa76c46c7f466f5b
SHA256

d2bfff4427cf46d6d8b08bba3074da2e1c75206fdac41d199c6f8499b34255de
SHA512

ee0c98f4d78250f7172b56b77af389a62f94776d5de36f44bb6016c69fc54426411f1427f39651c41a71fb3f891ae1bbf020efde133bf9c85269c851834ddfcc
SSDEEP

24576:3PNLUEGFgR8aHkloVk3E+rArDb4XS2RLhsbb8v0VhxCTQHTnGpORsF9TbaDBe:fRUEn8/oVk3t0rYi2NhsMgCErGcC7TbX

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/7gEWZ4upg1lkl

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Shipping Details_PDF.exe
- Size
  
  2.5MB
- MD5
  
  a637931cd7ac4ac159a8d6f2a6307d87
- SHA1
  
  15268692891e33e0af25299f2f2f8f16a07fc3ae
- SHA256
  
  415bffdbe32e6a74b2e4eb0ca9edd495e8a67ff62ad060dbb5b87169780e3cb5
- SHA512
  
  42b5d9b97aedd15ffa863417f4fc176822b82cbce518f50b66217ca48b9744829af1ff64c4dc93ae936d604642718c44f4a9d711b6c7cfaf452b4b2915bb3575
- SSDEEP
  
  49152:SBoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGU:BX0zlC6mJ98A3hQ1a7
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan