lokibot | 62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb | Triage

Submit
Reports

Overview

overview

Static

static

5

9876567899.bat.exe

windows7-x64

9876567899.bat.exe

windows10-2004-x64

Sharing

General

Target

9876567899.bat.exe
Size

1.1MB
Sample

250107-l3zw7awndv
MD5

6d9798801523ee1c8c5dc83d28346814
SHA1

66d6c6e65ffb8c635a286d68de624ef5d469cf9b
SHA256

62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb
SHA512

9dfc24338cee8dbbe830f4011d9b91fcaecbb861e75b19b9d28614f1d3b7d290da4c1146251a09cb66b0b9872e7bf12c6899ca8090d1292cc0c11e2e0e700164
SSDEEP

24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8ahmu9LHa7yyx:RTvC/MTQYxsWR7ahmiHaOy

Score

10^/10

lokibot collection discovery persistence spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

9876567899.bat.exe

Resource

win7-20240729-en

lokibot collection discovery spyware stealer trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

9876567899.bat.exe

Resource

win10v2004-20241007-en

lokibot collection discovery persistence spyware stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://172.245.123.11/tpm/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  9876567899.bat.exe
- Size
  
  1.1MB
- MD5
  
  6d9798801523ee1c8c5dc83d28346814
- SHA1
  
  66d6c6e65ffb8c635a286d68de624ef5d469cf9b
- SHA256
  
  62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb
- SHA512
  
  9dfc24338cee8dbbe830f4011d9b91fcaecbb861e75b19b9d28614f1d3b7d290da4c1146251a09cb66b0b9872e7bf12c6899ca8090d1292cc0c11e2e0e700164
- SSDEEP
  
  24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8ahmu9LHa7yyx:RTvC/MTQYxsWR7ahmiHaOy
Score

10^/10

lokibot collection discovery spyware stealer trojan persistence
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryspywarestealertrojan

behavioral2

lokibotcollectiondiscoverypersistencespywarestealertrojan

© 2018-2025

Terms | Privacy