lokibot | c359fd0f9dac8f4af2962f21260dd4661fc27a7d787e1e6c7a71dc056b95071e | Triage

Submit
Reports

Overview

overview

Static

static

3

1601fd5152...18.exe

windows7-x64

1601fd5152...18.exe

windows10-2004-x64

Sharing

General

Target

1601fd5152f9fa9551c0c61fb208ebb7_JaffaCakes118
Size

182KB
Sample

240627-pnk19steln
MD5

1601fd5152f9fa9551c0c61fb208ebb7
SHA1

ff9a3397ce9d5892764259555c4c58ebbdcc47aa
SHA256

c359fd0f9dac8f4af2962f21260dd4661fc27a7d787e1e6c7a71dc056b95071e
SHA512

10415c15333a029db1d8946914513f7de382bc59a26538c8812a5dc190c71cc63db4e387debc47d658758a49589b9c3f8ef5427568743c1e487374365a8c9f17
SSDEEP

3072:yWXiRLOS4/mjVkdfuU0CYDSPeur7MSx5PfLItnemS/IrJXkP+U7FaliJh5Hzws3O:yWS9KOVkc8eu7hx5PMtemSwrJXkP378L

Score

10^/10

lokibot collection persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1601fd5152f9fa9551c0c61fb208ebb7_JaffaCakes118.exe

Resource

win7-20240419-en

lokibot collection persistence spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

1601fd5152f9fa9551c0c61fb208ebb7_JaffaCakes118.exe

Resource

win10v2004-20240508-en

lokibot collection persistence spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

lokibot

C2

https://lokipanelhostingpanel.gq/panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  1601fd5152f9fa9551c0c61fb208ebb7_JaffaCakes118
- Size
  
  182KB
- MD5
  
  1601fd5152f9fa9551c0c61fb208ebb7
- SHA1
  
  ff9a3397ce9d5892764259555c4c58ebbdcc47aa
- SHA256
  
  c359fd0f9dac8f4af2962f21260dd4661fc27a7d787e1e6c7a71dc056b95071e
- SHA512
  
  10415c15333a029db1d8946914513f7de382bc59a26538c8812a5dc190c71cc63db4e387debc47d658758a49589b9c3f8ef5427568743c1e487374365a8c9f17
- SSDEEP
  
  3072:yWXiRLOS4/mjVkdfuU0CYDSPeur7MSx5PfLItnemS/IrJXkP+U7FaliJh5Hzws3O:yWS9KOVkc8eu7hx5PMtemSwrJXkP378L
Score

10^/10

lokibot collection persistence spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies WinLogon for persistence
  persistence
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

lokibotcollectionpersistencespywarestealertrojan

behavioral2

lokibotcollectionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy