lokibot | 6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16

General

Target

Environmental.exe
Size

318KB
MD5

97d9322c14fac9b4108802d14e5c051e
SHA1

be0e39b06d8866856d4a6422cdaa9a930d3be31d
SHA256

6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16
SHA512

4401c2023ac7ac7c21a425705f77a7979e70f963f96d64f36f53106f61a76efcddd08271157baa48dc52b716e8c4cd90bd9470288811e315c440fb44fb62ee99

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

C2

http://bobbyfile.ml/Bobby/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Environmental.exe

description	pid	process	target process
PID 3100 wrote to memory of 3864	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3864	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3864	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3384	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3384	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3384	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe
PID 3100 wrote to memory of 3836	3100	Environmental.exe	Environmental.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Environmental.exeEnvironmental.exe

description pid process

Token: SeDebugPrivilege 3100 Environmental.exe
Token: SeDebugPrivilege 3836 Environmental.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Environmental.exe

pid process

3100 Environmental.exe
3100 Environmental.exe
3100 Environmental.exe
3100 Environmental.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Environmental.exe

description pid process target process

PID 3100 set thread context of 3836 3100 Environmental.exe Environmental.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Environmental.exe

pid process

3836 Environmental.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

description	pid	process
Token: SeDebugPrivilege	3100	Environmental.exe
Token: SeDebugPrivilege	3836	Environmental.exe

pid	process
3100	Environmental.exe
3100	Environmental.exe
3100	Environmental.exe
3100	Environmental.exe

description	pid	process	target process
PID 3100 set thread context of 3836	3100	Environmental.exe	Environmental.exe

pid	process
3836	Environmental.exe

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"C:\Users\Admin\AppData\Local\Temp\Environmental.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:3100

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"{path}"
2⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"{path}"
2⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\Environmental.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3836-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3836-1-0x00000000004139DE-mapping.dmp

Download
memory/3836-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing