lokibot | 0c7b624462f4f6adc240631b4c6f0ff2b2af456b2d86880716e744d943f10b29

General

Target

Aiqamyjeu2.exe
Size

611KB
MD5

af6956c3441b679ff98850c499c3c45e
SHA1

de44a12ab89fbecfa350ce21d679c0c04cbe64b2
SHA256

0c7b624462f4f6adc240631b4c6f0ff2b2af456b2d86880716e744d943f10b29
SHA512

0b7cd09d545b703a743c10882e446d2572925d56b3a947480107d6ebc8d6607d527a4898d9eb6dea643a9d969bf5d2da77d65c6778aa8c4bfe2dd532f48b5265

Score

10^/10

lokibot persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.239.242.195/os/2b/cgi.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Aiqamyjeu2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	Aiqamyjeu2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Aiqamyjeu2.exe

description pid process target process

PID 4760 set thread context of 4200 4760 Aiqamyjeu2.exe Aiqamyjeu2.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Aiqamyjeu2.exe

pid process

4200 Aiqamyjeu2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Aiqamyjeu2.exeAiqamyjeu2.exe

description pid process

Token: SeDebugPrivilege 4760 Aiqamyjeu2.exe
Token: SeDebugPrivilege 4200 Aiqamyjeu2.exe

description	pid	process	target process
PID 4760 set thread context of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe

pid	process
4200	Aiqamyjeu2.exe

description	pid	process
Token: SeDebugPrivilege	4760	Aiqamyjeu2.exe
Token: SeDebugPrivilege	4200	Aiqamyjeu2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Aiqamyjeu2.exe

description	pid	process	target process
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe
PID 4760 wrote to memory of 4200	4760	Aiqamyjeu2.exe	Aiqamyjeu2.exe

C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe
"C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe
"C:\Users\Admin\AppData\Local\Temp\Aiqamyjeu2.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4200-12-0x00000000004139DE-mapping.dmp

Download
memory/4200-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4200-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4760-2-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4760-3-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/4760-5-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4760-6-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/4760-7-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4760-8-0x0000000006A90000-0x0000000006AD9000-memory.dmp

Filesize
292KB

Download
memory/4760-9-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/4760-10-0x0000000008B40000-0x0000000008B56000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing