lokibot | 5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb

Analysis

max time kernel
126s
max time network
124s
platform
windows7_x64
resource
win7
submitted
30-06-2020 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new crypted.exe
Size

599KB
MD5

528e2a7d71e7d96e8c8e59d5ebb2bd1c
SHA1

54cd335268104d8b22d66a24796050ee48a3ac72
SHA256

5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb
SHA512

46dd6d165fce867b2e3f3603d6c6ecbd1dd5c48d0a6ae2354fc7edf0254e2d0d6d45574db18731d73d43030322a4421614903049f6aa78aa4e144f783987b2aa

Score

10^/10

trojan spyware stealer lokibot

Malware Config

Extracted

Family

lokibot

airmanselectiontest.com/oo/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

new crypted.exe

pid process

1088 new crypted.exe

pid	process
1088	new crypted.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

new crypted.exe

description	pid	process	target process
PID 1088 wrote to memory of 1204	1088	new crypted.exe	new crypted.exe
PID 1088 wrote to memory of 1204	1088	new crypted.exe	new crypted.exe
PID 1088 wrote to memory of 1204	1088	new crypted.exe	new crypted.exe
PID 1088 wrote to memory of 1204	1088	new crypted.exe	new crypted.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

new crypted.exe

pid process

1088 new crypted.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

new crypted.exe

description pid process target process

PID 1088 set thread context of 1204 1088 new crypted.exe new crypted.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

new crypted.exe

description pid process

Token: SeDebugPrivilege 1204 new crypted.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

new crypted.exe

pid process

1204 new crypted.exe
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

pid	process
1088	new crypted.exe

description	pid	process	target process
PID 1088 set thread context of 1204	1088	new crypted.exe	new crypted.exe

description	pid	process
Token: SeDebugPrivilege	1204	new crypted.exe

pid	process
1204	new crypted.exe

C:\Users\Admin\AppData\Local\Temp\new crypted.exe
"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1088

C:\Users\Admin\AppData\Local\Temp\new crypted.exe
"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1204-1-0x00000000004139DE-mapping.dmp

Download
memory/1204-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download