lokibot | 12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394 | Triage

Sharing

General

Target

12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394.vbs
Size

73KB
Sample

241002-f2lqaayglk
MD5

5cc7cf5b0814e2f80bad4c4e85831e96
SHA1

93ed4011fc57034804feb5bd8ea61c6cf7b30cce
SHA256

12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394
SHA512

f9834c708ff8af1734b345f156d7abcebc8675f6e481fe65ac4512578d71cac11a3eba9779f2708a990858da9dce32c2e8416c967b77701991d7692393fa8c09
SSDEEP

1536:s+0UNtNTLbVAumhqIkeF+3e+2Tyf4hHKMHAqLkf:s+5LfAFh62TS4hKf

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://137.184.191.215/index.php/10899

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394.vbs
- Size
  
  73KB
- MD5
  
  5cc7cf5b0814e2f80bad4c4e85831e96
- SHA1
  
  93ed4011fc57034804feb5bd8ea61c6cf7b30cce
- SHA256
  
  12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394
- SHA512
  
  f9834c708ff8af1734b345f156d7abcebc8675f6e481fe65ac4512578d71cac11a3eba9779f2708a990858da9dce32c2e8416c967b77701991d7692393fa8c09
- SSDEEP
  
  1536:s+0UNtNTLbVAumhqIkeF+3e+2Tyf4hHKMHAqLkf:s+5LfAFh62TS4hKf
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan