lokibot | 909b3558b85ccc4b1890253c148345b2eecd0511c6d33f76752e14d56c9d9018

General

Target

UHoQQcne92zYcG1.exe
Size

762KB
MD5

746069df80f84617e3d83fdc53e725b0
SHA1

49be71d72f1fb60ecc955e5b5e716bcaddf1e79a
SHA256

909b3558b85ccc4b1890253c148345b2eecd0511c6d33f76752e14d56c9d9018
SHA512

2f14f7eb47a3d0ed9e8f8650ffa767e391e3197263d0d4d917126f8d1e7632dd011d8a4307f646c1fe9d855a6d1e5c0df7c8ff236b44911fa54941326a8cfcb4

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/SczbkxCQZQyVr

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

UHoQQcne92zYcG1.exe

description pid process target process

PID 4716 set thread context of 4384 4716 UHoQQcne92zYcG1.exe UHoQQcne92zYcG1.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3096 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

UHoQQcne92zYcG1.exe

pid process

4384 UHoQQcne92zYcG1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

UHoQQcne92zYcG1.exe

description pid process

Token: SeDebugPrivilege 4384 UHoQQcne92zYcG1.exe

description	pid	process	target process
PID 4716 set thread context of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe

pid	process
3096	schtasks.exe

pid	process
4384	UHoQQcne92zYcG1.exe

description	pid	process
Token: SeDebugPrivilege	4384	UHoQQcne92zYcG1.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

UHoQQcne92zYcG1.exe

description	pid	process	target process
PID 4716 wrote to memory of 3096	4716	UHoQQcne92zYcG1.exe	schtasks.exe
PID 4716 wrote to memory of 3096	4716	UHoQQcne92zYcG1.exe	schtasks.exe
PID 4716 wrote to memory of 3096	4716	UHoQQcne92zYcG1.exe	schtasks.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe
PID 4716 wrote to memory of 4384	4716	UHoQQcne92zYcG1.exe	UHoQQcne92zYcG1.exe

C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe
"C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCvOhOaUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB711.tmp"
2⤵
- Creates scheduled task(s)
PID:3096

C:\Users\Admin\AppData\Local\Temp\UHoQQcne92zYcG1.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB711.tmp
MD5
abd2fc02f5f05d21f0ea3a4edcf71d71

SHA1
731b2a0b4f9fe1e718e5ba401ebd31052d5b6fac

SHA256
47ebe9e4b89aa4d2cc5caa7237313f0ffb3aa76e69cc9fcbc99ca765f38330bc

SHA512
14f62cc69f2a99275d4656982e82353500342587cfb90fff994ae135d81ac88b1d0c9e76e6dd097c31173f486da6d685f0bac4c07eb9cd720e7caa1b8ae5a13d

Download Submit
memory/3096-11-0x0000000000000000-mapping.dmp

Download
memory/4384-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4384-14-0x00000000004139DE-mapping.dmp

Download
memory/4384-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4716-6-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4716-9-0x0000000007070000-0x00000000070EC000-memory.dmp

Filesize
496KB

Download
memory/4716-10-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/4716-8-0x0000000004DA0000-0x0000000004DAE000-memory.dmp

Filesize
56KB

Download
memory/4716-7-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/4716-2-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/4716-5-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4716-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads