lokibot | 1864cfb59340419df0dda66c8a9a5912878bef414773e0569d52cde18fdff85c

General

Target

0070620200012-pdf.exe
Size

661KB
MD5

096a791524b9ff0ee657822bc7c4636b
SHA1

fa3c732f69b3cd83e35a3edda7109df021b74e91
SHA256

1864cfb59340419df0dda66c8a9a5912878bef414773e0569d52cde18fdff85c
SHA512

950f53cd4210cebeaf7a353a7d4966a5ca25b7f5494548f04aa8287e298753d27250d1b416ad5cda08d68cb60f902d1d4fdd95be7f33fbe9617beeefb7614f03

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

C2

http://mygreencity.in/scripts/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 2612	3612	0070620200012-pdf.exe	69

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	0070620200012-pdf.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2612	0070620200012-pdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3832	schtasks.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 3832	3612	0070620200012-pdf.exe	67
PID 3612 wrote to memory of 3832	3612	0070620200012-pdf.exe	67
PID 3612 wrote to memory of 3832	3612	0070620200012-pdf.exe	67
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69
PID 3612 wrote to memory of 2612	3612	0070620200012-pdf.exe	69

C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kbrTtfneFIkmUj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp76C1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\0070620200012-pdf.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: RenamesItself
  PID:2612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2612-4-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads