lokibot | 67951f5d6430b7151a5a3d3a05dc5c630279f4113924cd9d9d5e90162d676f52

Analysis

max time kernel
135s
max time network
129s
platform
windows10_x64
resource
win10v200430
submitted
09/07/2020, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ce7dd66cb6de7e30b23e6257635e9d.exe
Size

831KB
MD5

57ce7dd66cb6de7e30b23e6257635e9d
SHA1

1db54d45554ab3f24e543b01365c8eeb9c9228ef
SHA256

67951f5d6430b7151a5a3d3a05dc5c630279f4113924cd9d9d5e90162d676f52
SHA512

eb0858b20d3eb90c98258bc5e36b973a234eccbf354bfd07b7a4d4a69e33d84f60908bac53db3d025e979e7e61293bee36f108b761647b7f9610bb2bea78c6bb

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

http://emdadbimarz.ir/huhn/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1276	664	57ce7dd66cb6de7e30b23e6257635e9d.exe	68

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	57ce7dd66cb6de7e30b23e6257635e9d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1276	57ce7dd66cb6de7e30b23e6257635e9d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
664	57ce7dd66cb6de7e30b23e6257635e9d.exe
664	57ce7dd66cb6de7e30b23e6257635e9d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1276	664	57ce7dd66cb6de7e30b23e6257635e9d.exe	68
PID 664 wrote to memory of 1276	664	57ce7dd66cb6de7e30b23e6257635e9d.exe	68
PID 664 wrote to memory of 1276	664	57ce7dd66cb6de7e30b23e6257635e9d.exe	68

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
664	57ce7dd66cb6de7e30b23e6257635e9d.exe

C:\Users\Admin\AppData\Local\Temp\57ce7dd66cb6de7e30b23e6257635e9d.exe
"C:\Users\Admin\AppData\Local\Temp\57ce7dd66cb6de7e30b23e6257635e9d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:664
- C:\Users\Admin\AppData\Local\Temp\57ce7dd66cb6de7e30b23e6257635e9d.exe
  "C:\Users\Admin\AppData\Local\Temp\57ce7dd66cb6de7e30b23e6257635e9d.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: RenamesItself
  PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1276-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download