lokibot | 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb

General

Target

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
Size

646KB
MD5

326f92541289d653456900e9b7afb9ec
SHA1

4566b6195e555853703d1ea628f6ca828033e658
SHA256

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb
SHA512

08ff3c75dc1d45e1d8d1c7cf00485698ac21b34a5c29ecdca12949d419caabde58071d45b9fc22cd468a829ce1f3a795ced62d1021f0ddc8025720918aea84a1

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

C2

http://t-mk.me/blessed/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

description	pid	process	target process
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
PID 3684 wrote to memory of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

description	pid	process	target process
PID 3684 set thread context of 3384	3684	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

description pid process

Token: SeDebugPrivilege 3384 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

pid process

3384 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

description	pid	process
Token: SeDebugPrivilege	3384	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

pid	process
3384	5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe

C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
"C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3684

C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3384-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3384-1-0x00000000004139DE-mapping.dmp

Download
memory/3384-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing