lokibot | 897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38

General

Target

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
Size

1.3MB
MD5

66f1cf3848c36e8111dc5f5a5784c2ad
SHA1

ad817b424694418345401fd28073dcaf4a24b22d
SHA256

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38
SHA512

03b8b77555909c114b380f5a4dab50e817c5edf4e23fc5eddc92c61c758ca98cdb6fadfe8f8eea3162f3831cba1cccf7a969e28bc106c775205e630fc4404e33

Score

10^/10

lokibot evasion spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/dUQz9bwGRLNK7

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

description	pid	process	target process
PID 744 set thread context of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

792 schtasks.exe

pid	process
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

pid	process
744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

pid process

568 897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

pid	process
568	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

description	pid	process
Token: SeDebugPrivilege	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
Token: SeDebugPrivilege	568	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

description	pid	process	target process
PID 744 wrote to memory of 792	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	schtasks.exe
PID 744 wrote to memory of 792	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	schtasks.exe
PID 744 wrote to memory of 792	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	schtasks.exe
PID 744 wrote to memory of 792	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	schtasks.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
PID 744 wrote to memory of 568	744	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe	897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe

C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
"C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNNTPHTOG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp"
2⤵
- Creates scheduled task(s)
PID:792

C:\Users\Admin\AppData\Local\Temp\897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBE9E.tmp
MD5
90b5765fe1c7e340c1670881964e8ca1

SHA1
849ef2a7a6a648cd5d30c859bbe1726b6e8167ab

SHA256
be5395540b5cebb80919444f5e9328bfaecf16ad273d002b11fb84df9c8e2928

SHA512
be82d438f0a2e019ebb7bb6ff4a3c73a58325ac08cf5e6d600301d120bfa1db1c6a56b0cfcac547dbcd8d7bec37e74efd04fc0d0f5300974a6ce42ca82679eb5

Download Submit
memory/568-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-13-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/568-12-0x00000000004139DE-mapping.dmp

Download
memory/568-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/744-6-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/744-8-0x0000000004C30000-0x0000000004C75000-memory.dmp

Filesize
276KB

Download
memory/744-7-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/744-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/744-5-0x0000000000500000-0x0000000000562000-memory.dmp

Filesize
392KB

Download
memory/744-3-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/792-9-0x0000000000000000-mapping.dmp

Download
memory/968-14-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads