Manuel Statik Analiz (LLM Okumali) — LokiBot DOC/RTF Dropper | Tehdit: YUKSEK
Dosya Kimligi
SHA256 904a61a37592f6a7c9e5db72bc097782911ac5992b17c2188ae9c6306c41c1e2
Format RTF/DOC makro dropper (officedocuments.doc)
Boyut 611.186 byte
String Sayisi 1.759
Dagilim Vektoru
DOC/RTF dropper: "officedocuments.doc" isminde maskelenmis, spear-phishing emaillerine eklenti olarak kullanilir. Office belgesi acildiginda exploit veya makro ile payload calistirir.
Analiz Bulgulari
SMTP port 465 gizli beyaz bosluk kodlamasiyla (whitespace steganography?) izole string icerisinde tespit edildi
Buyuk base64/binary blob RTF basligi icinde yerlesik: {ackslash *ackslash fttruetype... XBbS1a0cfY...}
Bu RTF embedded binary, gercek LokiBot payload'i veya shellcode icerebilir
LokiBot Exfiltrasyon Kanallari
HTTP POST (ana yontem): gate.php veya fre.php endpointine sifresiz veri gonderimi
SMTP (port 465/587) : Sifre ve form verisini SMTP ile saldirganin posta kutusuna gonderir
FTP (port 21) : Alinan kimlik bilgilerini FTP sunucusuna kopyalar
LokiBot Yetenekleri
Kategori Hedefler
FTP FileZilla, WinSCP, CuteFTP, SmartFTP — kimlik bilgileri
Email Outlook, Thunderbird — sifre ve hesap bilgisi
Tarayicilar Chrome, Firefox, IE, Opera — saved passwords
VPN NordVPN, OpenVPN config dosyalari
Kripto Cuzdan Bitcoin Core, Electrum wallet dosyalari
LokiBot Hakkinda
LokiBot, 2015 yilinda ortaya cikan C++ tabanli bir credential thief ve infostealer ailesidir. Baslangicta FTP istemci sifreleri hedefliyordu; gunumuzde 100+ uygulama kategorisini hedefliyor. Underground forumlarda dusuk fiyatla (bazen $300 gibi) satilmasi ile yaygınlasmistir.
IOC
SHA256 904a61a37592f6a7c9e5db72bc097782911ac5992b17c2188ae9c6306c41c1e2
Format RTF/DOC dropper
SMTP Port 465 (exfiltrasyon)
Lokibot — Malware Profile
LokiBot Loki PWS infostealer. Ordine di acquisto Italian PO ISO delivery. GetKeyNameTextW keylogger.
Technical Details
C++, HTTP POST form-based C2, browser credential theft, FTP/SMTP/VPN stealer, Filezilla/WinSCP credential theft, anti-emulation (timing checks), steganography ile C2 IP gizleme
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
FTP/SSH İstemci Şifreleri
IOC List
(1 indicators)
# SHA256
904a61a37592f6a7c9e5db72bc097782911ac5992b17c2188ae9c6306c41c1e2
Type Value Note
sha256
904a61a37592f6a7c9e5db72bc097782911ac5992b17c2188ae9c6306c41c1e2
C2 Servers
(2 recorded servers for this family)
Address
Type
Port
Protocol
Status
Country
109.206.243.59
ip
80
HTTP
inactive
RU
lokibot.net
domain
80
HTTP
sinkholed
—
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.