lokibot | 9c0b6b97d59b6256d1c6fde1d047f1fa24d1c911f2772f55a4fdad608b484e09 | Triage

Submit
Reports

Overview

overview

Static

static

1

98e1aa492f...0b.exe

windows7-x64

98e1aa492f...0b.exe

windows10-2004-x64

Sharing

General

Target

208c31479a014536a9fe9c13acc0d403.bin
Size

452KB
Sample

240621-c2qsfswdqf
MD5

3cd9e08f3140a1e1c3115ce8d7fd0762
SHA1

67bb5f6b667ad4e715a1e34339fdebcba41a89e0
SHA256

9c0b6b97d59b6256d1c6fde1d047f1fa24d1c911f2772f55a4fdad608b484e09
SHA512

e0d2cd5c4bc94d4880c44c2c095543a59c35118eace1850d65d1aaf8e7c5e33ba4297c6b594e89239fce279805c7c24c1dcef429e4a8b5aa1315d2951795153b
SSDEEP

12288:YLmdAVhjfSTrT7lKKeFkOEnpiCsux21Sr:QajxmkOYpiCsumSr

Score

10^/10

lokibot collection execution spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b.exe

Resource

win7-20240508-en

lokibot collection execution spyware stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b.exe

Resource

win10v2004-20240226-en

lokibot collection execution spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b.exe
- Size
  
  490KB
- MD5
  
  208c31479a014536a9fe9c13acc0d403
- SHA1
  
  e9e082b4a5cbd4ce17168d4164dfa6fab84bf2cd
- SHA256
  
  98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b
- SHA512
  
  c1835226ae6bafd4309806773dbfd782dd39f71ffc760a74a822559b017457d9ac1b4f7e53f53bde1bd16150b454d7732855588eba6fc8513ff2a4ac00e98b2a
- SSDEEP
  
  12288:+3Omoel/jaCQRwfzt/sWo5hZg1OpckFqUj7DWkR:Hmnl/2Cy/5hi0WkFlN
Score

10^/10

lokibot collection execution spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotcollectionexecutionspywarestealertrojan

behavioral2

lokibotcollectionexecutionspywarestealertrojan

© 2018-2024

Terms | Privacy