lokibot | 72efdaf6f1dd6d5081e3bc7e4b981f40a03874a0d33040cd54bb1bcea9c0a7e8 | Triage

Sharing

General

Target

72efdaf6f1dd6d5081e3bc7e4b981f40a03874a0d33040cd54bb1bcea9c0a7e8
Size

514KB
Sample

250226-fanesszj14
MD5

1d0bd0dde6f00cd54260bf89821ff389
SHA1

5c98222a399eb52458f3385bade933dd12c53bfe
SHA256

72efdaf6f1dd6d5081e3bc7e4b981f40a03874a0d33040cd54bb1bcea9c0a7e8
SHA512

2c8c4621ae8a7849b6d70449972a40508d56842f87dc41ffd634c103ce219b6f65c865add4dc70f970a4683d7b817e54e685d48d241388424d5b347b8f4eabb9
SSDEEP

12288:sS/TFAUnNsExKORYy/iC6kogJob+kfIRpwbuT1Ivd:s+TFA0LxKIfYkogCakHpvd

Score

10^/10

lokibot collection discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/sss1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  RFQ Enquiry Files.exe
- Size
  
  588KB
- MD5
  
  cd7e57947ce80d5c613ba6f761ff1c0d
- SHA1
  
  88c2e06cff9661fd1c35eebca1b20466382b83ea
- SHA256
  
  2796c9a06becbb63d358c4c25e8bb6bb686deaf10399c3a1c3bf140dbd0133b5
- SHA512
  
  4f5d013acfff38f0da01fcf139d02937f8ef3fe0aa47e753f2177b60ac8879c1f73bfc886bdc6376ffc1c9358bb7a73778f7e0dff9d9c058d30fd480e457c63a
- SSDEEP
  
  12288:OFa383le9ciJv/AF6x50QSpEptEwBoIxqpN080RBqyS8mfizMbnkR:kU3TvokApEpqwKyA088siAe
Score

10^/10

lokibot collection discovery execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lokibotcollectiondiscoveryexecutionspywarestealertrojan

behavioral2

lokibotcollectiondiscoveryexecutionspywarestealertrojan