lokibot | 747c4c79ef43860b4c2cb8e34fbe71570a4f8a9827bb3e691fea04b2e1c4f112 | Triage

Sharing

General

Target

ed0b6c1fa63db998449cbfbcdd8863d2_JaffaCakes118
Size

225KB
Sample

240920-hj3xystfqp
MD5

ed0b6c1fa63db998449cbfbcdd8863d2
SHA1

68e15bba6474389b91d2e86aa7d0d1125bb58af3
SHA256

747c4c79ef43860b4c2cb8e34fbe71570a4f8a9827bb3e691fea04b2e1c4f112
SHA512

00e83ebec5e0265087c4c5fb8a45151d95a893a9829a3825a263baa518943929242c341f1c601262de2f3810204e6d379d3b4ba91992cce17789e17392f0518d
SSDEEP

6144:ImkJ+rtNzcUsKcYv7/XQ/ge4oSJI8hsdLRHskOZ1:K+rtN4UsKcJmDIwWLNskOZ1

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://nextwaveconsulting.com.au/ftp/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Pictures specification.exe
- Size
  
  436KB
- MD5
  
  a6b25df92bf20d0accfacca0ceb6ff00
- SHA1
  
  7f50a41ccaddb514fb49806e06e88bb79e518629
- SHA256
  
  6ed8f3ea0e3b32509af38df9c4691eb45c4680cd6198cf1dcb837071ce8236cf
- SHA512
  
  3388924f2a4d3901f484a12f5bb26ef7a75e2224e4281a79f1baf22599f205dd50204dd39be3a4b862d928f97e0d5ae9ce9ef6380edd751d51bf8e6f7f43573a
- SSDEEP
  
  6144:LNEQkZ+rtNzcUsmcYd7/5Q/ge/9I8hspMIdWDrTY6SIQs:LNE1+rtN4UsmcRzIw2dMws
Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops startup file
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoveryspywarestealertrojan