lokibot | 19fc1dd23605dac18b071693978f7a27fba7dc0e112ceb12b99a8b0334569f0a | Triage

Sharing

General

Target

30092024124229092024PERMINTAANANGGARANUniversitasIPBID177888.rar
Size

32KB
Sample

240930-zrk6jsvdkm
MD5

6cfc2c072663cd8cf83452fffea0f1a4
SHA1

513d4659c2a44ce344ae60948892eb52ced22d85
SHA256

19fc1dd23605dac18b071693978f7a27fba7dc0e112ceb12b99a8b0334569f0a
SHA512

18b1ccd2af1147c5d78d9a0d9c2a696e41490ed06f394f7fc67ea52fd1bc916da1441bde87826188c31bbf9cc7021d316260bb792f649ae81fa22aedefafdc28
SSDEEP

768:us7lBVwt8IGMgLTjzTYTDnhQe6VISW6+Dd+Czr1D8w+s:vbKtfGMXHgId7dH5Jj

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.vbs
- Size
  
  72KB
- MD5
  
  cf3ce0d565b919fe45d02705736fe824
- SHA1
  
  0924076c6434b432b18fd0b298a2b5b14e38b754
- SHA256
  
  96c1a11d9036afc58f65d8533f2c37b7fc64048e21bc60f28f0bb9311902e80f
- SHA512
  
  eb44246e1c25d9cfcb49f724f710b21432fb8fab17b1344c3af142ef5959542a01db052db1e02b8f9af1df07872d3508fa99718a95260440b450bcee035fc431
- SSDEEP
  
  1536:sTgvWHbK7HAM/TkMCV5i+8Q5+h+4C/hNGweE+f:sTgeMAITO8QS+lkf
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan