lokibot | 9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac | Triage

Sharing

General

Target

9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta
Size

23KB
Sample

241121-h9w74atrdr
MD5

ec0d423a3f72d69975a1e31a275f5377
SHA1

213922fb8456ecaadc24889afec1ac6ef5010c68
SHA256

9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA512

8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
SSDEEP

96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta
- Size
  
  23KB
- MD5
  
  ec0d423a3f72d69975a1e31a275f5377
- SHA1
  
  213922fb8456ecaadc24889afec1ac6ef5010c68
- SHA256
  
  9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
- SHA512
  
  8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
- SSDEEP
  
  96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3
Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan