lokibot | a440dca4a1559d04426c05899989e611bd77d55b3fe00713b70e1b4968c8f61b

Analysis

max time kernel
142s
max time network
152s
platform
windows7_x64
resource
win7
submitted
30-06-2020 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Reciept.exe
Size

209KB
MD5

0207edc8cf65c2e87d4ce3e72cf4ad1f
SHA1

4ddda3e0700098a0dd64c44f78a5e2166b47d395
SHA256

a440dca4a1559d04426c05899989e611bd77d55b3fe00713b70e1b4968c8f61b
SHA512

a58c79ab3781cc4f2e12a563eb3243fe42ee28ad0838af25a41a50308e8dc246192a8471dc7b1edc8af8d48dd8864daa8531c59d8cdccba9f78c1532df838c79

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

http://beckhoff-th.com/kon/kon2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Bank Reciept.exe

description	pid	process	target process
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe
PID 1344 wrote to memory of 876	1344	Bank Reciept.exe	Bank Reciept.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank Reciept.exe

description pid process target process

PID 1344 set thread context of 876 1344 Bank Reciept.exe Bank Reciept.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Bank Reciept.exe

description pid process

Token: SeDebugPrivilege 876 Bank Reciept.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Bank Reciept.exe

pid process

876 Bank Reciept.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

description	pid	process	target process
PID 1344 set thread context of 876	1344	Bank Reciept.exe	Bank Reciept.exe

description	pid	process
Token: SeDebugPrivilege	876	Bank Reciept.exe

pid	process
876	Bank Reciept.exe

C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1344

C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-3-0x00000000004139DE-mapping.dmp

Download
memory/876-4-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1344-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download