lokibot | f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b | Triage

Sharing

General

Target

DRAFTDOC2406656.bat.exe
Size

542KB
Sample

241011-fs4jqssbnj
MD5

727b91c3fd7ca790814a5eca87ba9dd7
SHA1

3dcba9c3db41b556f1ca5cb73c0fcfa2713a639a
SHA256

f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b
SHA512

3b2b768a68449ad51db763a5e936fb189187d2c78f94ad25ad998f89fc75751a6e1e2ce4e3b63e0cec58e502271997180d4597fadd783284cf344c59f922164c
SSDEEP

12288:/nw1qbuuNYABD1IKZ8zq91PXlzUWqp4L63psN1jQXCkR:/nehuHZOq9TF042x

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://touxzw.ir/sirr/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  DRAFTDOC2406656.bat.exe
- Size
  
  542KB
- MD5
  
  727b91c3fd7ca790814a5eca87ba9dd7
- SHA1
  
  3dcba9c3db41b556f1ca5cb73c0fcfa2713a639a
- SHA256
  
  f972a54ca5d86ea9ced7ddc4621a816f1ae22b6fe0a24e40fbef01ce07283e1b
- SHA512
  
  3b2b768a68449ad51db763a5e936fb189187d2c78f94ad25ad998f89fc75751a6e1e2ce4e3b63e0cec58e502271997180d4597fadd783284cf344c59f922164c
- SSDEEP
  
  12288:/nw1qbuuNYABD1IKZ8zq91PXlzUWqp4L63psN1jQXCkR:/nehuHZOq9TF042x
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan