lokibot | f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818

General

Target

ORDER.exe
Size

789KB
MD5

b954b768fcdca7acd4a9e43715139650
SHA1

343bd24a325dfd24f7ccb0ece3052175c7187002
SHA256

f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818
SHA512

31994bbcfe804827574c2f9148768ceb8c120afbd0c0275b62448b83044c270982f11e813b83c65243782203279540a12eeba84fb67904e8a6b2c73ac7fa2001

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://192.119.111.43/smack/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER.exe

description pid process target process

PID 2576 set thread context of 2584 2576 ORDER.exe ORDER.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2100 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ORDER.exe

pid process

2576 ORDER.exe
2576 ORDER.exe
2576 ORDER.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ORDER.exe

pid process

2584 ORDER.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER.exeORDER.exe

description pid process

Token: SeDebugPrivilege 2576 ORDER.exe
Token: SeDebugPrivilege 2584 ORDER.exe

description	pid	process	target process
PID 2576 set thread context of 2584	2576	ORDER.exe	ORDER.exe

pid	process
2100	schtasks.exe

pid	process
2576	ORDER.exe
2576	ORDER.exe
2576	ORDER.exe

pid	process
2584	ORDER.exe

description	pid	process
Token: SeDebugPrivilege	2576	ORDER.exe
Token: SeDebugPrivilege	2584	ORDER.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ORDER.exe

description	pid	process	target process
PID 2576 wrote to memory of 2100	2576	ORDER.exe	schtasks.exe
PID 2576 wrote to memory of 2100	2576	ORDER.exe	schtasks.exe
PID 2576 wrote to memory of 2100	2576	ORDER.exe	schtasks.exe
PID 2576 wrote to memory of 2300	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2300	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2300	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe
PID 2576 wrote to memory of 2584	2576	ORDER.exe	ORDER.exe

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XAOlwfcRy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9CE.tmp"
2⤵
- Creates scheduled task(s)
PID:2100

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC9CE.tmp
MD5
7d36996237e91b3e622a2459b39f8c1b

SHA1
ddaff9f1056b44cf6d4c3361f132e7f8403beb36

SHA256
3d1b0e5ee161a6fbb0a3b187775e8f52f5231bd1718e1a3860ade600bd3314b1

SHA512
8ed4a7432d3f9aef84a05788e0755ce2f799ff598ee719a130d5d4c76b3cccf6114e10cb8d797aefa8f051ec2e191ca59a537648b357680a03a68d744a93af44

Download Submit
memory/2100-124-0x0000000000000000-mapping.dmp

Download
memory/2576-118-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/2576-114-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2576-119-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/2576-120-0x0000000007D70000-0x000000000826E000-memory.dmp

Filesize
5.0MB

Download
memory/2576-121-0x0000000008090000-0x00000000080A0000-memory.dmp

Filesize
64KB

Download
memory/2576-122-0x000000000B340000-0x000000000B3C0000-memory.dmp

Filesize
512KB

Download
memory/2576-123-0x0000000003300000-0x000000000334D000-memory.dmp

Filesize
308KB

Download
memory/2576-117-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/2576-116-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/2584-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2584-127-0x00000000004139DE-mapping.dmp

Download
memory/2584-128-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads