lokibot | 6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16

Analysis

max time kernel
100s
max time network
94s
platform
windows7_x64
resource
win7v200430
submitted
30-06-2020 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Environmental.exe
Size

318KB
MD5

97d9322c14fac9b4108802d14e5c051e
SHA1

be0e39b06d8866856d4a6422cdaa9a930d3be31d
SHA256

6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16
SHA512

4401c2023ac7ac7c21a425705f77a7979e70f963f96d64f36f53106f61a76efcddd08271157baa48dc52b716e8c4cd90bd9470288811e315c440fb44fb62ee99

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

http://bobbyfile.ml/Bobby/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Environmental.exe

description	pid	process	target process
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe
PID 1500 wrote to memory of 1816	1500	Environmental.exe	Environmental.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Environmental.exe

description pid process target process

PID 1500 set thread context of 1816 1500 Environmental.exe Environmental.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Environmental.exe

description pid process

Token: SeDebugPrivilege 1816 Environmental.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Environmental.exe

pid process

1816 Environmental.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

description	pid	process	target process
PID 1500 set thread context of 1816	1500	Environmental.exe	Environmental.exe

description	pid	process
Token: SeDebugPrivilege	1816	Environmental.exe

pid	process
1816	Environmental.exe

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"C:\Users\Admin\AppData\Local\Temp\Environmental.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1500

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1816-1-0x00000000004139DE-mapping.dmp

Download
memory/1816-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download