Afternoon everyone!🙂Playing around with Lokibot trojan this afternoon to relax. It had a IsDebuggerPresent function to exit if it detects xdbg etc. So fun!🙂Putting together a lesson plan for next Monday today as well. I will be teaching back at The Cyber Cossack school in…

Kaspersky, yeni bulaşma yöntemlerini raporladı: “Emotet geri dönüyor, Lokibot devam ediyor!'
afyonstarhaber.com/kaspersky-yeni…

#Afyonhaber #Haber #Afyonkarahisar #AfyonSondakika

Evening all!🙂Playing around with Lokibot trojan again this afternoon. TrIDNET was inconclusive what the file actually was. Exeinfo to the rescue! A 32 bit C++ exe written on Autoit.🙂EXEInfo also has the handy feature of telling me what its packed with.

Put the malware into…

🕷 LokiBot #malware

SHA-256 =>{ 334dc75798844588b8c21af661c628627585b57df46973d762d7d930d4ec57b3 }

😛GitHub >github.com/5kidRo0t/Malwa…

🦠VirusTotal >virustotal.com/gui/file/334dc…

What a beautiful way to start the day :)

#Lokibot #panel #itw

Lokibot c2 observed DigitalOcean
ip: 178.128.238.137

hxxps://www.virustotal.com/gui/file/a2e10236dab3013a041ead462b2b280af3f4e9f96a3ca878579dce7d8fef23ec

Fake a KID called BEAST mint page going around , when you try to connect on mobile it prompts “no phones allowed please connect to desktop” obv the FIRST red flag, when scanned through VirusTotal we see it masking “LokiBot” Malware. DO NOT INTERACT.

REAL PAGE: a KID called BEAST

🔥 An email sample spreads #LokiBot was submitted from VN!
✉️27011215dce27a21aaa6a08898f11672
🐛93ed842119d52c8104eba8c1d3cbfe8e
IOCs:
🌐http://161[.]35.102.56/~nikol/?p=314875839320

A simple and rarely seen example of extracting data stolen by a #lokibot , not that it's a big deal, but it might come in handy for someone💁‍♀️

🔥Maldoc sample spreads #LokiBot was submitted to VT from VN!!
📄hash:e1d6c159c4e0b5d404d763846914c1b33b26591fd4100da3235335889f6a9407
IOCs:
👹http://103[.]167.92.45/kung/GG18.exe
🌐http://171[.]22.30.164/kung/five/fre.php

🔥New #maldoc spreads #LokiBot was submitted to VT from VN 🇻🇳!
📃hash:6be525d464e45656332ec814975fbced53acfc8ff7ba0e165f2c66c85df47e20
☠️IOCs:
👹http://23[.]227.196.204/Newfold/ansi.exe
💀23[.]227.196.204
🌐http://sempersim[.]su/a14/fre.php

We've updated the vx-underground malware sample collection.

- NokoyaRansomware
- QakBot
- Karma
- Conti
- Pysa
- LokiBot
- Industroyer
- PryntStealer
- BlackGuard
- Redline
- Certishell
- Emotet

Check it out here: samples.vx-underground.org/samples/Famili…

Fortinet researchers show how the CVE-2021-40444 & CVE-2022-30190 remote code execution vulnerabilities allowed attackers to embed malicious macros within Microsoft documents that, when executed, dropped the LokiBot malware onto the victim's system. fortinet.com/blog/threat-re…

We've updated the vx-underground malware sample collection

- RedLine
- RecordBreaker
- Vidar
- FormBook
- RhadamanthysLoader
- Xenomorph
- SnakeKeylogger
- Remcos
- AgentTesla
- Lokibot
- CatB
- LgoogLoader
- MagniberRansomware
- AsycnRAT

vx-underground.org

Morning all! This Lokibot malware is a bit more complicated!🙂After 3 months of daily assembly study I'm having a ton of fun pulling this malware apart with Ghidra and xdgb.🙂

In September 2023, we collected Command and Control (C2) panels associated with diverse malwares . Over this timeframe, we identified 222 indicators of compromise, with Supershell leading the list, followed by Lokibot, Risepro, Unam, and Xkeybot. Additionally, our observations…

#LokiBot is one of the most enduring credential stealers. On ANYRUN, the first tag for LokiBot was applied on March 6, 2018, making it one of the first public submissions.

🟥 - The aPLib compression algorithm is used to compress the decoded exfiltrated data and credentials from…

“Emotet geri dönüyor, Lokibot devam ediyor!” ehaber27.com/haber/16037394… #teknoloji

Hetzner Cloudflare CloudflareHelp
hxxps://t.me/knyghthax
hxxps://knyghthax.com/

Creditcard fraud targetted german and dutch citizens.
with the help of Vangelis tix Stykas we have retrieved source code being used.

Gi7w0rm #lokibot #phishing
twitter.com/banthisguy9349…

Lokibot has a basic function at the beginning of the program to see if a debugger is present. If so it tosses an exception.🙂My close friend over the past few months DBG to the rescue.🙂It compares its eax registry and uses a JNE if our debugger shows up. Thankfully we can edit…