lokibot | cbe84e2c523fd51dabb1365df50415ffc51f8159c36798061742f08ba5d31b9b | Triage

Submit
Reports

Overview

overview

Static

static

_2201S_BUS..._.xlsx

windows7_x64

_2201S_BUS..._.xlsx

windows10-2004_x64

4

Sharing

General

Target

_2201S_BUSAN_HOCHIMINH_.xlsx
Size

187KB
Sample

220210-gj7epsefh5
MD5

cf8b307caa943326ee808bb3cb02deee
SHA1

705c25adbdb7b805e47566540b3804eba178e7da
SHA256

cbe84e2c523fd51dabb1365df50415ffc51f8159c36798061742f08ba5d31b9b
SHA512

cfc3ae790c2e17051a4b03214baefd44eb30e8601bf8afd2d711cd197263854e96c19c2486a8838a1971607e09ad6728f6b9d8d982f6395b1ffc7d9c7eb599aa

Score

10^/10

lokibot collection spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

_2201S_BUSAN_HOCHIMINH_.xlsx

Resource

win7-en-20211208

lokibot collection spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

_2201S_BUSAN_HOCHIMINH_.xlsx

Resource

win10v2004-en-20220112

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

lokibot

C2

http://asiaoil.bar//bobby/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  _2201S_BUSAN_HOCHIMINH_.xlsx
- Size
  
  187KB
- MD5
  
  cf8b307caa943326ee808bb3cb02deee
- SHA1
  
  705c25adbdb7b805e47566540b3804eba178e7da
- SHA256
  
  cbe84e2c523fd51dabb1365df50415ffc51f8159c36798061742f08ba5d31b9b
- SHA512
  
  cfc3ae790c2e17051a4b03214baefd44eb30e8601bf8afd2d711cd197263854e96c19c2486a8838a1971607e09ad6728f6b9d8d982f6395b1ffc7d9c7eb599aa
Score

10^/10

lokibot collection spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

lokibotcollectionspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy