lokibot | 8b4f23379d7c7cbd4aedd2dd648d0b181d80f2cde29eacfe03b7d155e012be91 | Triage

Submit
Reports

Overview

overview

Static

static

3

874ad1a5d6...18.exe

windows7-x64

874ad1a5d6...18.exe

windows10-2004-x64

Sharing

General

Target

874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118
Size

972KB
Sample

240531-rllk5abb2x
MD5

874ad1a5d6955021881a3c19061cf4f6
SHA1

65c80b2b25c578ddee72176e836c383b381f3686
SHA256

8b4f23379d7c7cbd4aedd2dd648d0b181d80f2cde29eacfe03b7d155e012be91
SHA512

97426ed44fdf428ca173f90c2c78d13714168790f7c2c98c92841d3b06eb8260be88a5850b53c905ed6e0db294d85df6923b12fa568b3eb17ff9c67faa0dcb9a
SSDEEP

3072:fEL68ieI7D5qSVwn2Ij4zAAc6s7UEPslhEKe9vHKh:8Q71qggj4zAV6sgEsDEKivK

Score

10^/10

lokibot netwire botnet collection rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118.exe

Resource

win7-20240508-en

lokibot netwire botnet collection rat spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118.exe

Resource

win10v2004-20240508-en

lokibot netwire botnet collection rat spyware stealer trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Bushbush
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
RjCRIvgp
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Extracted

Family

lokibot

C2

http://valdepian.com/eurostil/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118
- Size
  
  972KB
- MD5
  
  874ad1a5d6955021881a3c19061cf4f6
- SHA1
  
  65c80b2b25c578ddee72176e836c383b381f3686
- SHA256
  
  8b4f23379d7c7cbd4aedd2dd648d0b181d80f2cde29eacfe03b7d155e012be91
- SHA512
  
  97426ed44fdf428ca173f90c2c78d13714168790f7c2c98c92841d3b06eb8260be88a5850b53c905ed6e0db294d85df6923b12fa568b3eb17ff9c67faa0dcb9a
- SSDEEP
  
  3072:fEL68ieI7D5qSVwn2Ij4zAAc6s7UEPslhEKe9vHKh:8Q71qggj4zAV6sgEsDEKivK
Score

10^/10

lokibot netwire botnet collection rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotnetwirebotnetcollectionratspywarestealertrojan

behavioral2

lokibotnetwirebotnetcollectionratspywarestealertrojan

© 2018-2024

Terms | Privacy