lokibot | b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0 | Triage

Submit
Reports

Overview

overview

Static

static

8

Pago Factura.xls

windows7_x64

Pago Factura.xls

windows10_x64

Sharing

General

Target

Pago Factura.xls
Size

160KB
Sample

200630-knpevy6mk2
MD5

03b1061e0a0cdf717e60708f1051d156
SHA1

2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
SHA256

b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
SHA512

98129c7d88a3f079595846d3e00eac3d7f6b7e35151f1dd80d4e31b1290fc6dee88129f53e903b3956be3ac69606d696c86ee540f654d7b72701d2744bdcd3fd

Score

10^/10

lokibot evasion macro spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

Pago Factura.xls

Resource

win7

evasion spyware trojan stealer lokibot

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Pago Factura.xls

Resource

win10v200430

spyware trojan stealer lokibot

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://46.21.147.175/FtgPlac/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  Pago Factura.xls
- Size
  
  160KB
- MD5
  
  03b1061e0a0cdf717e60708f1051d156
- SHA1
  
  2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
- SHA256
  
  b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
- SHA512
  
  98129c7d88a3f079595846d3e00eac3d7f6b7e35151f1dd80d4e31b1290fc6dee88129f53e903b3956be3ac69606d696c86ee540f654d7b72701d2744bdcd3fd
Score

10^/10

evasion spyware trojan stealer lokibot
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies system certificate store
  evasion spyware trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionspywaretrojanstealerlokibot

behavioral2

spywaretrojanstealerlokibot

© 2018-2024

Terms | Privacy