lokibot | 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8

Analysis

max time kernel
76s
max time network
123s
platform
windows10_x64
resource
win10
submitted
08/07/2020, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEW INQUIRY PURCHASE ORDER.exe
Size

607KB
MD5

05e06166f7767f1c3d34ad3e4ab3009f
SHA1

a7eaac1d28e5453cfb594977df91ee24ce357195
SHA256

3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8
SHA512

f902f9819ba394c2e39b281e159441f6cda6275984bd311971674af991b09ca8797ae9ee32c2e9649641558b2521b18ddb012429f15d91395e498df214517a00

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

http://195.69.140.147/.op/cr.php/u1DEZ4oVQPK3w

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	NEW INQUIRY PURCHASE ORDER.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1232	NEW INQUIRY PURCHASE ORDER.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
720	NEW INQUIRY PURCHASE ORDER.exe
720	NEW INQUIRY PURCHASE ORDER.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 1232	720	NEW INQUIRY PURCHASE ORDER.exe	67
PID 720 wrote to memory of 1232	720	NEW INQUIRY PURCHASE ORDER.exe	67
PID 720 wrote to memory of 1232	720	NEW INQUIRY PURCHASE ORDER.exe	67

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
720	NEW INQUIRY PURCHASE ORDER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 1232	720	NEW INQUIRY PURCHASE ORDER.exe	67

C:\Users\Admin\AppData\Local\Temp\NEW INQUIRY PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\NEW INQUIRY PURCHASE ORDER.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:720
- C:\Users\Admin\AppData\Local\Temp\NEW INQUIRY PURCHASE ORDER.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW INQUIRY PURCHASE ORDER.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: RenamesItself
  PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1232-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download