lokibot | 809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202 | Triage

Sharing

General

Target

nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
Size

131KB
Sample

241029-pf13hstqcy
MD5

07a93908c3113536577c9c5b734a0af0
SHA1

794af14ec431e796ca6b61ed2094f623b86d77a9
SHA256

809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202
SHA512

34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79
SSDEEP

96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

lokibot

C2

http://94.156.177.220/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
- Size
  
  131KB
- MD5
  
  07a93908c3113536577c9c5b734a0af0
- SHA1
  
  794af14ec431e796ca6b61ed2094f623b86d77a9
- SHA256
  
  809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202
- SHA512
  
  34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79
- SSDEEP
  
  96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ
Score

10^/10

defense_evasion discovery execution lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecution

behavioral2

lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan