lokibot | 3235eeb992191113c5427d8d3991440e6209fc255a2219c2676197259c2dd510

General

Target

Payment Pdf.exe
Size

608KB
MD5

76747e6f8ac80f5b1835a47a9342ddca
SHA1

5ff4bca1c0e52a4d3e8cb2d2955a3fea53da58bb
SHA256

3235eeb992191113c5427d8d3991440e6209fc255a2219c2676197259c2dd510
SHA512

2d42cef5660f3b131a239f1bb502f907cfb64ab3c1c89991826ca11ff04f7899a9e2b4400873b4f9be50db8c5878317e59f40182fd4f44f8a34047fea5ecd575

Score

10^/10

spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

C2

http://mecharnise.ir/sto/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Payment Pdf.exe

description	pid	process	target process
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe
PID 1680 wrote to memory of 1976	1680	Payment Pdf.exe	Payment Pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Pdf.exe

description pid process target process

PID 1680 set thread context of 1976 1680 Payment Pdf.exe Payment Pdf.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Payment Pdf.exe

pid process

1976 Payment Pdf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Pdf.exePayment Pdf.exe

description pid process

Token: SeDebugPrivilege 1680 Payment Pdf.exe
Token: SeDebugPrivilege 1976 Payment Pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Payment Pdf.exe

pid process

1680 Payment Pdf.exe
1680 Payment Pdf.exe
1680 Payment Pdf.exe
1680 Payment Pdf.exe

description	pid	process	target process
PID 1680 set thread context of 1976	1680	Payment Pdf.exe	Payment Pdf.exe

pid	process
1976	Payment Pdf.exe

description	pid	process
Token: SeDebugPrivilege	1680	Payment Pdf.exe
Token: SeDebugPrivilege	1976	Payment Pdf.exe

pid	process
1680	Payment Pdf.exe
1680	Payment Pdf.exe
1680	Payment Pdf.exe
1680	Payment Pdf.exe

C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Users\Admin\AppData\Local\Temp\Payment Pdf.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1976-3-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1976-4-0x00000000004139DE-mapping.dmp

Download
memory/1976-5-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing