lokibot | b39688815505416bd3ce779da8714b4eb492dea27036998ad90ddc439b8d554f | Triage

Sharing

General

Target

Bnnebgers.vbs
Size

70KB
Sample

240930-js983atelr
MD5

5b6ded9dd4c8b33c96ec2dfccc4185ba
SHA1

baf00d33cc29a38cedd43d1b483a24e5af5ef707
SHA256

b39688815505416bd3ce779da8714b4eb492dea27036998ad90ddc439b8d554f
SHA512

aeb3c167595408bb06a89a18c48fa4f097c5f4ad22b1fe0a8ddbb120d7b4b57939789a5b5427fdb3fe781c0bed78589bc618b724c0a73345aa502eb93c611b57
SSDEEP

1536:susq1DWeDHqjpgA5JePv0wXvLr+s3NyQr0AyG1XLatJkYf:susq1qeZAHeP2s3BYU1Xqf

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/039

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Bnnebgers.vbs
- Size
  
  70KB
- MD5
  
  5b6ded9dd4c8b33c96ec2dfccc4185ba
- SHA1
  
  baf00d33cc29a38cedd43d1b483a24e5af5ef707
- SHA256
  
  b39688815505416bd3ce779da8714b4eb492dea27036998ad90ddc439b8d554f
- SHA512
  
  aeb3c167595408bb06a89a18c48fa4f097c5f4ad22b1fe0a8ddbb120d7b4b57939789a5b5427fdb3fe781c0bed78589bc618b724c0a73345aa502eb93c611b57
- SSDEEP
  
  1536:susq1DWeDHqjpgA5JePv0wXvLr+s3NyQr0AyG1XLatJkYf:susq1qeZAHeP2s3BYU1Xqf
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan