lokibot | 712fcb950fd221eaee4a2c231f97f45e6f6c1046acb73ffc01a49f21f6a53b17 | Triage

Sharing

General

Target

f582c22249526335ae6b2916c0e0fa26_JaffaCakes118
Size

937KB
Sample

240925-jfpftswdjd
MD5

f582c22249526335ae6b2916c0e0fa26
SHA1

0c4142688abffa99999cdbeb95468e666cf65fea
SHA256

712fcb950fd221eaee4a2c231f97f45e6f6c1046acb73ffc01a49f21f6a53b17
SHA512

edd3b2881315f699650dc9093d85f7007755d6485872a427d5afa7c0e3530339563396206863047696ec57f18a70ace338882e7bd0f18660c4fb7a734b17c874
SSDEEP

24576:ruSb0vKvZtt9oSO9yhvaH4Ztt9oSO9yI:ybGHtO9yNs4HtO9y

Score

10^/10

lokibot aspackv2 collection discovery persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://begurtyut.info/kobi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  f582c22249526335ae6b2916c0e0fa26_JaffaCakes118
- Size
  
  937KB
- MD5
  
  f582c22249526335ae6b2916c0e0fa26
- SHA1
  
  0c4142688abffa99999cdbeb95468e666cf65fea
- SHA256
  
  712fcb950fd221eaee4a2c231f97f45e6f6c1046acb73ffc01a49f21f6a53b17
- SHA512
  
  edd3b2881315f699650dc9093d85f7007755d6485872a427d5afa7c0e3530339563396206863047696ec57f18a70ace338882e7bd0f18660c4fb7a734b17c874
- SSDEEP
  
  24576:ruSb0vKvZtt9oSO9yhvaH4Ztt9oSO9yI:ybGHtO9yNs4HtO9y
Score

10^/10

lokibot collection discovery persistence spyware stealer trojan upx
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoverypersistencespywarestealertrojanupx

behavioral2

lokibotcollectiondiscoverypersistencespywarestealertrojanupx