lokibot | e6881dd3161106971c610e2bf44f6341da0a536fc29bb8b1a7f072bf40a85232 | Triage

Sharing

General

Target

ed4dc28b460ad98f6f8034ab823a897b_JaffaCakes118
Size

553KB
Sample

240920-lg175azbnb
MD5

ed4dc28b460ad98f6f8034ab823a897b
SHA1

953c7522348b5f20f5bafa15bbd1f1e35b3a4bac
SHA256

e6881dd3161106971c610e2bf44f6341da0a536fc29bb8b1a7f072bf40a85232
SHA512

5a12a9c9a91589897be03742d54afe2565864a63ec76c8e21cfd7f0840cd50e6e87ae7076439c12ac4a682bcbd79d32acbe9e4e5cf7dbd0d99ebc5ef6ad77436
SSDEEP

12288:1KAnvQvM6adtk4j3luEylepUcf0cg8iRk/t2:1Dn4mt1cL7cg8kk/t

Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://modcloudserver.eu/nwamama/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  ed4dc28b460ad98f6f8034ab823a897b_JaffaCakes118
- Size
  
  553KB
- MD5
  
  ed4dc28b460ad98f6f8034ab823a897b
- SHA1
  
  953c7522348b5f20f5bafa15bbd1f1e35b3a4bac
- SHA256
  
  e6881dd3161106971c610e2bf44f6341da0a536fc29bb8b1a7f072bf40a85232
- SHA512
  
  5a12a9c9a91589897be03742d54afe2565864a63ec76c8e21cfd7f0840cd50e6e87ae7076439c12ac4a682bcbd79d32acbe9e4e5cf7dbd0d99ebc5ef6ad77436
- SSDEEP
  
  12288:1KAnvQvM6adtk4j3luEylepUcf0cg8iRk/t2:1Dn4mt1cL7cg8kk/t
Score

10^/10

lokibot discovery persistence spyware stealer trojan collection credential_access
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotdiscoverypersistencespywarestealertrojan

behavioral2

lokibotcollectioncredential_accessdiscoverypersistencespywarestealertrojan