lokibot | 9d6ea1996d7937774e84bb54d4eeb10fd809750929612aa3ad9b8a4983e678d8 | Triage

Sharing

General

Target

Payment.details.xls
Size

223KB
Sample

241205-ek72hsxqbz
MD5

10c7cc7db72939c42639d9b55d192837
SHA1

440e1474a4497a155dd283c4699083bb4089e900
SHA256

9d6ea1996d7937774e84bb54d4eeb10fd809750929612aa3ad9b8a4983e678d8
SHA512

5e709f7e40f4b4ce4b514d44a24fe1052557deae646c7aa2c893576bdf01ebafea5a6221b63385e45506843b740d3ebd31672531e2724848188688560e52bbb4
SSDEEP

6144:gxEtjPOtioVjDGUU1qfDlavx+W2QnAZSFrpS3yfjKdbQ3hn1nh8P2fXLHbm4/iji:WIVSiz51C8Xrb5/4i

Score

10^/10

lokibot collection discovery macro macro_on_action spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://www.stipamana.com/vimrshyjdft/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Payment.details.xls
- Size
  
  223KB
- MD5
  
  10c7cc7db72939c42639d9b55d192837
- SHA1
  
  440e1474a4497a155dd283c4699083bb4089e900
- SHA256
  
  9d6ea1996d7937774e84bb54d4eeb10fd809750929612aa3ad9b8a4983e678d8
- SHA512
  
  5e709f7e40f4b4ce4b514d44a24fe1052557deae646c7aa2c893576bdf01ebafea5a6221b63385e45506843b740d3ebd31672531e2724848188688560e52bbb4
- SSDEEP
  
  6144:gxEtjPOtioVjDGUU1qfDlavx+W2QnAZSFrpS3yfjKdbQ3hn1nh8P2fXLHbm4/iji:WIVSiz51C8Xrb5/4i
Score

10^/10

lokibot collection discovery spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

lokibotcollectiondiscoveryspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryspywarestealertrojan