chimera | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz[.]bat | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

https://github.com/D...

windows10-2004-x64

Resubmissions

28-12-2024 22:24

241228-2bslsstndj 10

28-12-2024 22:19

241228-18zwpstjcx 7

Sharing

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat
Sample

241228-2bslsstndj

Score

10^/10

chimera lokibot agilenet collection discovery persistence ransomware spyware stealer trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat

Resource

win10v2004-20241007-en

chimera lokibot agilenet collection discovery persistence ransomware spyware stealer trojan

windows10-2004-x64

31 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/L0Lz.bat
Score

10^/10

chimera lokibot agilenet collection discovery persistence ransomware spyware stealer trojan
- Chimera
  Ransomware which infects local and network files, often distributed via Dropbox links.
  ransomware chimera
- Chimera Ransomware Loader DLL
  Drops/unpacks executable file which resembles Chimera's Loader.dll.
  ransomware
- Chimera family
  chimera
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Renames multiple (3322) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

chimeralokibotagilenetcollectiondiscoverypersistenceransomwarespywarestealertrojan

© 2018-2025

Terms | Privacy