lokibot | 48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5 | Triage

Sharing

General

Target

48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5
Size

561KB
Sample

250225-efb4aasns3
MD5

45b9e2bd053cafc0442a7e18c8ce50aa
SHA1

26f233a8102135aff6edf305b48195fe1c9e7d72
SHA256

48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5
SHA512

d56c96c479493fdd692d59a97e58d04cef4ccd90ecc8c42283d9f2cda9fe894112cad124af23ab83367e6cd2dafffc37de0cf69fa24f11d7a2283f8a17261bbb
SSDEEP

12288:/3BNiI12uj7GPWM1POJHb2SLjfkDWuMhZm7GfEkVseyT2xYY:ZNpzuPn1mcS3kaBnm7QVsrK

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/sss1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Bank Slip pdf.exe
- Size
  
  719KB
- MD5
  
  4e4108ccf43fde81b96e2606d38628a0
- SHA1
  
  7e557a4e252df3f86b6fa10e61d558ed15727345
- SHA256
  
  9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af
- SHA512
  
  3fe601d94128cbca5a506ed88fcd45b16e69fdd8e3ff85b3286dc8039479c1dd3eaecff62d7126902a742fbeaee301485f1d011720d263883698dbc20b2edd4e
- SSDEEP
  
  12288:WdOWWvUe3yT2+gGYuSBAlz68Xbi1UfkNyC63r47ofWS42q0R7E0UkyT27kR:ooUe0ke+sekkod747A42qqANpX
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan