lokibot | 0d9b5c176c7db0c067711afadce4630e5be2671d9f9431d5291e702d0b4cabad

General

Target

gunzipped.exe
Size

518KB
MD5

fc0199d22b504b1a551d5d0e1474fd4c
SHA1

04607145bfc8fafb8413e969593a65e2ed86a485
SHA256

0d9b5c176c7db0c067711afadce4630e5be2671d9f9431d5291e702d0b4cabad
SHA512

f4ada22cdc2acdad31e17fe99eab1edfd76364c7d00197809a2418df2e7a193703dca1e42007e3daa8e94e9c90c5edd816aac92bab900f6a4d85b85a98cfb719

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/fn1ToJTMzu3Td

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

https://www.tepevizyon.com.tr/xx/Panel/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

Ykjxjveewsffioinnxx_t new.exe

pid process

828 Ykjxjveewsffioinnxx_t new.exe
Loads dropped DLL 2 IoCs

Processes:

WScript.exe

pid process

1680 WScript.exe
1680 WScript.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gunzipped.exe

description pid process target process

PID 664 set thread context of 1972 664 gunzipped.exe gunzipped.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
828	Ykjxjveewsffioinnxx_t new.exe

pid	process
1680	WScript.exe
1680	WScript.exe

description	pid	process	target process
PID 664 set thread context of 1972	664	gunzipped.exe	gunzipped.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

gunzipped.exe

pid	process
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe
664	gunzipped.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

gunzipped.exe

pid process

1972 gunzipped.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gunzipped.exegunzipped.exe

description pid process

Token: SeDebugPrivilege 664 gunzipped.exe
Token: SeDebugPrivilege 1972 gunzipped.exe

pid	process
1972	gunzipped.exe

description	pid	process
Token: SeDebugPrivilege	664	gunzipped.exe
Token: SeDebugPrivilege	1972	gunzipped.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

gunzipped.exeWScript.exe

description	pid	process	target process
PID 664 wrote to memory of 1680	664	gunzipped.exe	WScript.exe
PID 664 wrote to memory of 1680	664	gunzipped.exe	WScript.exe
PID 664 wrote to memory of 1680	664	gunzipped.exe	WScript.exe
PID 664 wrote to memory of 1680	664	gunzipped.exe	WScript.exe
PID 664 wrote to memory of 1736	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1736	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1736	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1736	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 396	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 396	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 396	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 396	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 268	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 268	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 268	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 268	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 664 wrote to memory of 1972	664	gunzipped.exe	gunzipped.exe
PID 1680 wrote to memory of 828	1680	WScript.exe	Ykjxjveewsffioinnxx_t new.exe
PID 1680 wrote to memory of 828	1680	WScript.exe	Ykjxjveewsffioinnxx_t new.exe
PID 1680 wrote to memory of 828	1680	WScript.exe	Ykjxjveewsffioinnxx_t new.exe
PID 1680 wrote to memory of 828	1680	WScript.exe	Ykjxjveewsffioinnxx_t new.exe

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
"C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe"
3⤵
- Executes dropped EXE
PID:828

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
2⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
2⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbs
MD5
835e2bddca034b38b072ec3e2d794582

SHA1
93477a5a8adb29ee5980583eff9b17987ce3997c

SHA256
51696625ca5c5c605eeb6dce4b2d65445bc678770146c29ac4749e8230e0ef43

SHA512
db8c5df91fef0bbf5e4cb63b4939f043484879d89660dd9c01b0ba5581d8e63503e08e446afa919d00dcd07317d92e76e680b0f3d1ea31620040d49b71e0b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
MD5
8b2ba32b908f900bbcd982a89dd45d70

SHA1
5d204803edcc82594802dc79bdd88d66bfe00250

SHA256
9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

SHA512
266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
MD5
8b2ba32b908f900bbcd982a89dd45d70

SHA1
5d204803edcc82594802dc79bdd88d66bfe00250

SHA256
9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

SHA512
266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

Download Submit
\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
MD5
8b2ba32b908f900bbcd982a89dd45d70

SHA1
5d204803edcc82594802dc79bdd88d66bfe00250

SHA256
9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

SHA512
266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

Download Submit
\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
MD5
8b2ba32b908f900bbcd982a89dd45d70

SHA1
5d204803edcc82594802dc79bdd88d66bfe00250

SHA256
9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

SHA512
266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

Download Submit
memory/664-68-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/664-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/664-63-0x0000000004D10000-0x0000000004D65000-memory.dmp

Filesize
340KB

Download
memory/664-62-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/828-78-0x0000000000000000-mapping.dmp

Download
memory/1680-71-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1680-69-0x0000000000000000-mapping.dmp

Download
memory/1972-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1972-73-0x00000000004139DE-mapping.dmp

Download
memory/1972-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing