lokibot | 59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4 | Triage

Sharing

General

Target

file
Size

586KB
Sample

241122-t4r7qstqgx
MD5

66b03d1aff27d81e62b53fc108806211
SHA1

2557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA256

59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA512

9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
SSDEEP

12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  file
- Size
  
  586KB
- MD5
  
  66b03d1aff27d81e62b53fc108806211
- SHA1
  
  2557ec8b32d0b42cac9cabde199d31c5d4e40041
- SHA256
  
  59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
- SHA512
  
  9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
- SSDEEP
  
  12288:VrOj+Ri3AgFdZeDZskwkzA0+7xUNq4KC73vUECPnsSnR83PdB0:xQ3AgSskwZNeEqdCPssS3F
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan