lokibot

Sharing

Copy URL

Twitter E-mail

General

Target

ffb1efeb74150a5de45ed344f837da2e_JaffaCakes118
Size

368KB
Sample

240930-b19nha1dpq
MD5

ffb1efeb74150a5de45ed344f837da2e
SHA1

b451fc63aa0547063e74d26137fd6417385584da
SHA256

fca32cf0c62210488d4c092cb9e44b7089b661f7419f3c8a56c4f21a02991b4e
SHA512

1bc9293206ec8aef27c082bb0a977a0b1390185975846886d8fd05431b359ddcf63d4030a95a15859846f2ae53d089a697989c9f724cb3b599a5ddf2db5eb7d0
SSDEEP

6144:XPCganNZkbEWgWCLBcaNB+dRnEG6/xl4KSQdr0Lwne8MlD8sC/E91J4:tan/k4HIa+1y41Qp0LbD8z/2j4

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://remzclot.ga/etc/main/l09/ap0s/home.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  ffb1efeb74150a5de45ed344f837da2e_JaffaCakes118
- Size
  
  368KB
- MD5
  
  ffb1efeb74150a5de45ed344f837da2e
- SHA1
  
  b451fc63aa0547063e74d26137fd6417385584da
- SHA256
  
  fca32cf0c62210488d4c092cb9e44b7089b661f7419f3c8a56c4f21a02991b4e
- SHA512
  
  1bc9293206ec8aef27c082bb0a977a0b1390185975846886d8fd05431b359ddcf63d4030a95a15859846f2ae53d089a697989c9f724cb3b599a5ddf2db5eb7d0
- SSDEEP
  
  6144:XPCganNZkbEWgWCLBcaNB+dRnEG6/xl4KSQdr0Lwne8MlD8sC/E91J4:tan/k4HIa+1y41Qp0LbD8z/2j4
Score

10^/10

lokibot collection discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral1 behavioral2
- Target
  
  $TEMP/Predecease.dll
- Size
  
  43KB
- MD5
  
  4d1b85d0694a24b83403d75d07438deb
- SHA1
  
  0ada9f3851482638e8be5fcaa589760d9df84d4f
- SHA256
  
  b2e96ee15b7553cc22f0c43f80e2308a50f43d0dea020f9672d7a975bc51e34c
- SHA512
  
  8438cc4a4f909501ec4bff8ae77123e0c016962db4c9229c4b658d17518044598a9a11521db7e4b238b4d063750d147685081ce5dadc48d8db5cd60ae0ab2faa
- SSDEEP
  
  768:EmMJa3TjbYMF9YhE0RmnTEDj3vyVTsU9MBacUF+n:EmXRF9wIBRdMUcUsn
Score

10^/10

lokibot discovery spyware stealer trojan collection
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
behavioral3 behavioral4
- Target
  
  $TEMP/bookmark/thanks/69.opends60.dll
- Size
  
  46B
- MD5
  
  c169f4c07092a565283dd8ba7712484b
- SHA1
  
  8871f882152339810da164120251c38500e76d0c
- SHA256
  
  647a5c5fff49a5b936f92f1f074d2d8c66204ed486cec12d3fb2e3ce1e30dbe3
- SHA512
  
  db49323c2e49799e916467cca7063d81aea0a7bda0c32484b9f637c46cf18d9400888ec536d75d32bcee483cf3e6dafe1c3a66f2ba326d36cff5be37417b6434
Score

1^/10
behavioral5 behavioral6
- Target
  
  $TEMP/bookmark/thanks/79.opends60.dll
- Size
  
  49B
- MD5
  
  39d618d08910862f6fa19763ef8eb95a
- SHA1
  
  ec9946684d5e72dbc5bdcffa31167ad1a19e29bd
- SHA256
  
  92d13bd99d241df155dd56df72168e7a10662364dcde27ef06dde39731b5bde6
- SHA512
  
  ef157ac89850f9e5838c01307849aea5759868d045836b6fb3fad6834c5edde8882603e1a2f0aa4eefc5c37bb2583720f55263291fbfe902239998623be849f8
Score

1^/10
behavioral7 behavioral8
- Target
  
  $TEMP/bookmark/thanks/MFC80JPN.dll
- Size
  
  48KB
- MD5
  
  3e9b3cadc71ab38ff8183299ef772367
- SHA1
  
  4c9a4f181c31b92af497996a5f9c28b549633f12
- SHA256
  
  d688bbc45a22814403bda7609ec1650589f5d0acb8287ad72c6e493d51441e27
- SHA512
  
  4e49cd5737213dde86e662a12df5c0feb94adc30d54d5dc9219285047526ca0e6899ee59a3027cc2572b8c79f4af97c9b8a5392b911ddb873d734537d90a6e60
- SSDEEP
  
  384:hDNCysL/tAGqyVVp7vheBWlWRUJkQbXDr10Jh8I2Bb4:hZXsZAGDN7vQtUJkkr10IIc4
Score

1^/10
behavioral10 behavioral9
- Target
  
  $TEMP/bookmark/thanks/cert2spc.exe
- Size
  
  8KB
- MD5
  
  15d14d0403243f2939389b50e62a5d9c
- SHA1
  
  29ca8ad75a159cf8740f21f8e1a2649abf81589e
- SHA256
  
  c25f774434af1c494594d8315ca8cfd12257c53b8e3682e626b230b79dd5a863
- SHA512
  
  83f0b6074911f4f8fc74d556537c9a8a1999cfbf5b8dedd97a9b5824d3b3bc39b7e8b876e5aa68a9eb597ac89ccaba9a516df21446200aa172994718c62a1ead
- SSDEEP
  
  192:nuF8MV0BxUAOW/3m3tGdqhIEg0YHvWCcqoS/W5e:n+8MVA1S3txg0avW1xS/W5e
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  $TEMP/bookmark/thanks/crtowordsde.dll
- Size
  
  17KB
- MD5
  
  9fed64eea493bcf3cefa9df973bc4a53
- SHA1
  
  fecd887152f633bc5f7dcea0d064b0482f262840
- SHA256
  
  6279439648d1a49260ccfec46a80625b2aeafad80c2a9025ec07eba00f56e007
- SHA512
  
  e265765505fb19e84e37615b7128b21183519c885ebffe2ad9036550dc1b9ecfce7a8f77c687b7d00ef9adfbc250fc5781667f24ec2887eb30eedb59f80d28fb
- SSDEEP
  
  192:ZDMGdIACora7NXqHP4oKvZeSK3Xz7Ygx1LfYL/CldolMvMjGwPyMojT+KzVMiDMD:bdIA9h0ijvx1LwLCcY9jBJJLDkL
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  $TEMP/bookmark/thanks/editbin.exe
- Size
  
  15KB
- MD5
  
  ef322d97e0bf036e236a85a19d85235e
- SHA1
  
  3c72a0f0173911cc712bd2e4602816bb2ccea697
- SHA256
  
  51ff3ff717529746ccea8412da24a6d57b6c04d32aad04059b53b49d93776de4
- SHA512
  
  bf4ad9c7909439ca3e225959f70f48169ba729f0d45fb1ea5e4c00d60e9da5bb7cb4ed91f1d443df2b4d4b57d44161fe3148cba773be6c13534b019beb9a75ae
- SSDEEP
  
  384:DtJDDMj+hlgzaDSSBgWVb7aWpRLCcMe/oTC0z:TUmPeSBTXL3d/o+O
Score

1^/10
behavioral15 behavioral16
- Target
  
  $TEMP/bookmark/thanks/interfaces.dll
- Size
  
  8KB
- MD5
  
  4fca230d88b5afa87caa2428031ebed1
- SHA1
  
  4a350e06c30aaf1f7f62a6cd50cb1a7d355f98b2
- SHA256
  
  e030f6f525673325d2a605d418f6869019e4dfa83809fb367b71538ad796e7b9
- SHA512
  
  109deca8be8d449845c39ce4f297c547d7375a756cb76a61bcdf768e71d44a6347b474cd2093bb765b1beedf36c60cdcf8041781e05b2143f61e7427108a5772
- SSDEEP
  
  192:rAh/YQtAlig3s2vMOlNT7ITIaUWylGYtmW8xfQ0igt7w5iW920TEWX:rOByig8iMOrMTIaUyWqligVw5iW92AEy
Score

1^/10
behavioral17 behavioral18
- Target
  
  $TEMP/list_users/4.opends60.dll
- Size
  
  43B
- MD5
  
  6dd3e060afd3f50cde4f99b268bbe4b2
- SHA1
  
  71d21643a449b436f31f67d25adb32ab56c895e2
- SHA256
  
  243f5d4a34cfe932b9c7ba2a1a0a5a4e66952bfb454fb7becf8d43b6be6bca2d
- SHA512
  
  9b201956d90f887adfa47c43d2cb016d37c82db250160fa2e5652d4bede4e24d50644448603126c4d6d7f288f6eb853a423e06254462c146c29de65758ea1de4
Score

1^/10
behavioral19 behavioral20
- Target
  
  $TEMP/list_users/IEHost.dll
- Size
  
  36KB
- MD5
  
  3cf103c013c83dd3bab1620d1605906f
- SHA1
  
  b16be1b09cd68118111d9729b288215a9d05b448
- SHA256
  
  f88b3210c26494d64c7a2f376b166953370e21abaaed8f2ce9882c975a352ca7
- SHA512
  
  41227daea0da05be9c61e7558aface164f8220b1b4122c219fe8fff727cfd8be7bae18bfecf456b6f8d09fbe5fe1115ea6e09b1d9dfe16eb3bb33f28db5abb0f
- SSDEEP
  
  384:iGS88qBmW9dxYavRMiAOtGjxdUhDfSao0qSxhM8bS01jzfWtuw8W:H8qBvt9vRhAOtG9CSQpt1k
Score

1^/10
behavioral21 behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Lokibot

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22