lokibot | c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25 | Triage

Sharing

General

Target

c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25.vbs
Size

78KB
Sample

241002-bzjqpa1anr
MD5

8de3bba9fb959d08b3719f1281957c56
SHA1

b8132af0e02ecb58c3c3eb39fe919e3b805106cf
SHA256

c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25
SHA512

8024de858f6d4ec08728944183309650f3f0a7fdc7e83eee53852d00efc37f845ff03bbca42ccd0284282e29c38937a82004bf1b8c3ce439ccc93714fa02f93c
SSDEEP

1536:sUjz/4d4EMT6SUAQZWwGcKQeH+4my6lGiYeJztAxUCDYf:sUjsLAgWO4mF1YhQf

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/check.php?s=am9ntjjw

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25.vbs
- Size
  
  78KB
- MD5
  
  8de3bba9fb959d08b3719f1281957c56
- SHA1
  
  b8132af0e02ecb58c3c3eb39fe919e3b805106cf
- SHA256
  
  c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25
- SHA512
  
  8024de858f6d4ec08728944183309650f3f0a7fdc7e83eee53852d00efc37f845ff03bbca42ccd0284282e29c38937a82004bf1b8c3ce439ccc93714fa02f93c
- SSDEEP
  
  1536:sUjz/4d4EMT6SUAQZWwGcKQeH+4my6lGiYeJztAxUCDYf:sUjsLAgWO4mF1YhQf
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan