lokibot | 268c70192ec2b0f6d279ee5d946de5dc694a68cb8b27aa991a8de5c87c41dc63

Analysis

max time kernel
66s
max time network
63s
platform
windows10_x64
resource
win10
submitted
13-07-2020 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request For Quotation.exe
Size

851KB
MD5

c1eb65ab319f55bd54b91a4ade3234ab
SHA1

2712d7c0a08296ad0f373fce962f2cc07a2fe3ca
SHA256

268c70192ec2b0f6d279ee5d946de5dc694a68cb8b27aa991a8de5c87c41dc63
SHA512

ee765845fede0d0421cd6c69b19716e8b642edaec1572fb19e0574a8737c50f420afe174f3385fe458f383409a9889faae89bcfdbf7746baa9c9a94ea2f2f9eb

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

http://195.69.140.147/.op/cr.php/u1DEZ4oVQPK3w

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Request For Quotation.exe

pid process

3720 Request For Quotation.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Request For Quotation.exe

pid process

3536 Request For Quotation.exe
3536 Request For Quotation.exe

pid	process
3720	Request For Quotation.exe

pid	process
3536	Request For Quotation.exe
3536	Request For Quotation.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Request For Quotation.exe

description	pid	process	target process
PID 3536 wrote to memory of 3720	3536	Request For Quotation.exe	Request For Quotation.exe
PID 3536 wrote to memory of 3720	3536	Request For Quotation.exe	Request For Quotation.exe
PID 3536 wrote to memory of 3720	3536	Request For Quotation.exe	Request For Quotation.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Request For Quotation.exe

pid process

3536 Request For Quotation.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Request For Quotation.exe

description pid process target process

PID 3536 set thread context of 3720 3536 Request For Quotation.exe Request For Quotation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request For Quotation.exe

description pid process

Token: SeDebugPrivilege 3720 Request For Quotation.exe

pid	process
3536	Request For Quotation.exe

description	pid	process	target process
PID 3536 set thread context of 3720	3536	Request For Quotation.exe	Request For Quotation.exe

description	pid	process
Token: SeDebugPrivilege	3720	Request For Quotation.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3536

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3720-1-0x00000000004139DE-mapping.dmp

Download
memory/3720-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3720-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download