lokibot

General

Target

5d4e35e3913b9a46150bcc2ba94e971a643465a143ba91fee659d6827fe828e1
Size

606KB
Sample

241121-zg8tvssjbk
MD5

edab91f4d832a9c0e6f43dddc6d239fe
SHA1

b6919e3980187a39748963f134d5509170a58fe4
SHA256

5d4e35e3913b9a46150bcc2ba94e971a643465a143ba91fee659d6827fe828e1
SHA512

b40f822f773843bcf0e46598e4a28fa94063914d634b55e701561536fb1e47bd70d30fe8234184d99b9da364c852dc26d8c90aba5c99040b23b1a1d809fd335e
SSDEEP

12288:nJx5GPykD5jDBfoVhQGrEAxADBB4ytcxh+E+RYmmKpByk6IYpU/cBQ:nJTGx1DVoQQEzcytcH+E+RYmmKpB9wpS

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u8nw

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Extracted

Family

lokibot

C2

http://bobydomain.com/okfile/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  FACTURA.exe
- Size
  
  259KB
- MD5
  
  dbe8f4544e6c99ac9311d37139150e9a
- SHA1
  
  14da5f434e987b372a2e783d49134877bcce9ebe
- SHA256
  
  c3192d94f1b44c9c8ce94f3865d88b1a169dde10f3dadf3a517c3de34487a5a5
- SHA512
  
  25a785d5d9cd19bf0e9805dee79433140de4cd5fc3384e292ec6421089f0560fdb44fcb0a2eed8a2774f9d3a89a6c30b5cc1248756d3b44125e478bc991e8a41
- SSDEEP
  
  3072:7Ere7GjyCaFvcm6kDbv4cYMzwdr74NVwfuSJZKSCKwlZGFs/LOC8sTkZtcEPE3fV:7PXz3AcYVaeuS7K/K6ZGVzZtNE3rZ
Score

10^/10

xloader u8nw discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/772vhhojj684oi.dll
- Size
  
  5KB
- MD5
  
  5e3d3dadd742c63f01034fb9175caef2
- SHA1
  
  a3c3cdd8ba24655f36ef248678efe1fade8bc6e8
- SHA256
  
  c5e4e3bca252502d2c1b4dd9af51de6f14f495b97965e6f0cb9689ce2501afe1
- SHA512
  
  6d19e6f22dd4442baf620111e4370ebe83acde452240dfb171c6492051f9cbede8d1c0a7de538d012e20ef98e07d61ed1e126050a890425f4a868f27a4d66440
- SSDEEP
  
  96:EBxUgFl44+MRTXtEm1Rtwz6SJtxuR3kx:E1lRTv1Rtwz6
Score

10^/10

xloader u8nw discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  URGENT Request for Quotation.pdf.exe
- Size
  
  742KB
- MD5
  
  2c06382d5825ffba5cbe2e40c6b3c60e
- SHA1
  
  8b3b2f5a7dec1cf208abf3409cf13c1216d2edd8
- SHA256
  
  193f9577a84d3863b8499fde73484d510ba4f4235b93ad2d25195f57f78bd7ef
- SHA512
  
  39119f150e7cc8cfe7d9aa6cc96e9e1afdadeafbf7dc026faafb7c1be6175adc89a0e54275d3cdc04d4ea724b9a96a11a77c986c43662e6e8abb2ad33c69e367
- SSDEEP
  
  12288:9r5Gqy3+nOOVMODaugpEGSobPHVySR8S+wNdYB:i2lVMearEkvX1Bdq
Score

10^/10

lokibot collection discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral5 behavioral6