Rewterz Threat Alert – LokiBot Malware

Rewterz Threat Alert – Delta Electronics hit by Conti Ransomware – Active IOCs

February 1, 2022

Rewterz Threat Alert – Midas Ransomware Deployed using Windows Services – Active IOCs

February 1, 2022

Rewterz Threat Alert – LokiBot Malware – Active IOCs

Severity

Medium

Analysis Summary

In early 2016, LokiBot was originally made available on underground forums for cybercriminals to use against Microsoft Android phones. This malware steals sensitive information including, usernames, cryptocurrency wallets, and other credentials via Trojan software. Malware grabs credentials by monitoring browser and desktop activities from the password storage using a keylogger. LokiBot can also install a backdoor into affected systems, allowing an attacker to install other payloads. Spam emails, communication channels such as SMS, Skype, and malicious websites are all used to spread LokiBot. To keep track of what users are doing (for instance, recording keystrokes), this malware can be utilized.

Impact

Information Theft
Exposure of Sensitive Data
Credential Theft

Indicators of Compromise

MD5

cdcf79a11a2cf77813a8c7647082472f
b33f2c62ab5265056d7bbd6cebd0a0bd
d30d259cf41d5658e14c4516fa7bdf46
c7b01643a9582612bb72d2b27b19feee
66052e613c813cccbcc56b254b3e49f3
f51a0609156dca97c1cb8634902e70d3
d95495728db1d257c78bcc19b43e94ff
e34f8459644e4e8367246ba7453958ec
6d68e63b401ef3f2676623ad412fb8f3
c2c41aa533754582d7dbf9ee53e603c8

SHA-256

7de23e4a24000890c6c512cd03e134a1e16972f66eca60c6976bce160890bf2b
0ead85ccd5db3e064d9f8af054451d9bb344fe04d8e81a6d785169ce03ff0ab9
a1794e9a38665905a0b55b86033a06c413b4aeb0d0be861dac372c5656aeee3d
4b9ac6d386d1c1346e595413bca9607641b0d773d33f3cfe09c22f0cc3530581
01509d9650a3d9a72ab17ba13b6ea71c449231ebd3490caa9c43689472f710a1
4c8a4ad4c41b96599f24dbf53c05b900e4b4c998bb78b1fdc608bfd9f599646a
455c4dde4d57fa86d06f78a313554f20aa7e17d082d453c65f7bacd038fd29c4
293e1fe2ef7e22411a0768e627d3c9127bf0e5f2b12765ef68a177c731e6a49a
c22b0673ede829cf8db33e88eabe570dd250d60ff024207e374ed3f68dcc3007
ccce823bc5f1492cf004171d0522042cb78a15791ff47754b1f608e25097a208
d9e9ea0af6a909d686e11fd89f5eacc4363018935a3e6a2c25fd1b39527fa511

SHA-1

89e50d53f357490b5e8ba5f0a2c6508065c3c8c3
a7511c216201c81050a41a03483017bd9289f75c
c8abfbb76eae78483202702acda9b06422abbf46
a5b81bafc4923c37990a12c9af2828b90959de60
ecda94bbe31a0758d1f315580ad6ff870e9067d5
669a1d38d535906052cb77b43e4c72ce33424cb1
21b63e94c20e25c8d7b0f6324a0e50c1f3d35923
d430ed5fb33e1761c0ce88a641578c116d323008
2fb978a3ab9a6cd75b0132771c16e653ec2572c1
0910f325f730ff58ffb7c78dd30782dfa44f5865
56845be20c4fed623e8fcc9eb87d668f2d7d8912

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Always be suspicious about emails sent by unknown senders.
Never click on links sent by unknown senders.