lokibot | 6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a | Triage

Submit
Reports

Overview

overview

Static

static

3

9ddf9a29e4...18.exe

windows7-x64

9ddf9a29e4...18.exe

windows10-2004-x64

Sharing

General

Target

9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118
Size

1.4MB
Sample

240611-mjy18atdmd
MD5

9ddf9a29e4e7a26ade32ba492ad12851
SHA1

ee86814c37343e5385231fd3bccc686222c178b3
SHA256

6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a
SHA512

5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b
SSDEEP

24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118.exe

Resource

win7-20240221-en

lokibot netwire botnet collection persistence rat spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118.exe

Resource

win10v2004-20240226-en

lokibot netwire botnet collection persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://lallahome2.ru/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

181.215.247.253:20881

Attributes

activex_autorun
true
activex_key
{W17VSAE7-MM7D-VKP1-T6CH-ASC0300H32OY}
copy_executable
true
delete_original
true
host_id
HostIdwadja
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
QtK37ulUUZ
registry_autorun
true
startup_name
chrome
use_mutex
false

Targets

- Target
  
  9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  9ddf9a29e4e7a26ade32ba492ad12851
- SHA1
  
  ee86814c37343e5385231fd3bccc686222c178b3
- SHA256
  
  6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a
- SHA512
  
  5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b
- SSDEEP
  
  24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4
Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

behavioral2

lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy