lokibot | 8679bc0899fa881c2df5ee13a0a97fbdb14712ba9599c9d9bfcf8444f68312c8 | Triage

Sharing

General

Target

210da055070c2b04b4555752e8e1651b_JaffaCakes118
Size

704KB
Sample

241008-mhc3cssfqr
MD5

210da055070c2b04b4555752e8e1651b
SHA1

fae84c44f55fc07f7184927cc603eb4c787b5c61
SHA256

8679bc0899fa881c2df5ee13a0a97fbdb14712ba9599c9d9bfcf8444f68312c8
SHA512

8000f5fb663e1e7cb09e823748aa57b13c529de03efe4d3df9a61cb0b23fe54d164b3ea680ce8f67964bb513c42a333e115e45fe9033c11b1739043db5f08177
SSDEEP

12288:9EcB7rgUSPwodwuLE1mdOd7A2YBianCsGCp9dKgAYkx:9EGrbSYeLqmdOd7A2YBianCsGCpLAYkx

Score

10^/10

lokibot collection discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://dymanite.ca/ome/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  210da055070c2b04b4555752e8e1651b_JaffaCakes118
- Size
  
  704KB
- MD5
  
  210da055070c2b04b4555752e8e1651b
- SHA1
  
  fae84c44f55fc07f7184927cc603eb4c787b5c61
- SHA256
  
  8679bc0899fa881c2df5ee13a0a97fbdb14712ba9599c9d9bfcf8444f68312c8
- SHA512
  
  8000f5fb663e1e7cb09e823748aa57b13c529de03efe4d3df9a61cb0b23fe54d164b3ea680ce8f67964bb513c42a333e115e45fe9033c11b1739043db5f08177
- SSDEEP
  
  12288:9EcB7rgUSPwodwuLE1mdOd7A2YBianCsGCp9dKgAYkx:9EGrbSYeLqmdOd7A2YBianCsGCpLAYkx
Score

10^/10

lokibot collection discovery persistence privilege_escalation spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Accesses Microsoft Outlook profiles
  collection
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoverypersistenceprivilege_escalationspywarestealertrojan

behavioral2

lokibotcollectiondiscoverypersistenceprivilege_escalationspywarestealertrojan