lokibot | a222f23b44ac7af5cbac74e3f60643e232ed63d8a79162d58084f5fcce5dfd52

General

Target

purchase order.pdf.exe
Size

1.4MB
MD5

9765acf7509b0800d88d96a629c0cc24
SHA1

41ca7dd1724c8a4f880c6c9094debdf3796c3c51
SHA256

a222f23b44ac7af5cbac74e3f60643e232ed63d8a79162d58084f5fcce5dfd52
SHA512

c13cfc90c81b4d22389854d5514cc6f2f4e37cec6205c52e2cf40373345963f62bb76650bcf7d67813382cb2e5aa5e88c44b2ea3d1c527a5b1d61546fc2f74a6

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/3V16BrI6suXPx

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

purchase order.pdf.exe

description pid process target process

PID 1920 set thread context of 1732 1920 purchase order.pdf.exe purchase order.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

purchase order.pdf.exe

pid process

1920 purchase order.pdf.exe
1920 purchase order.pdf.exe
1920 purchase order.pdf.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

purchase order.pdf.exe

pid process

1732 purchase order.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

purchase order.pdf.exepurchase order.pdf.exe

description pid process

Token: SeDebugPrivilege 1920 purchase order.pdf.exe
Token: SeDebugPrivilege 1732 purchase order.pdf.exe

description	pid	process	target process
PID 1920 set thread context of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe

pid	process
524	schtasks.exe

pid	process
1920	purchase order.pdf.exe
1920	purchase order.pdf.exe
1920	purchase order.pdf.exe

pid	process
1732	purchase order.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1920	purchase order.pdf.exe
Token: SeDebugPrivilege	1732	purchase order.pdf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

purchase order.pdf.exe

description	pid	process	target process
PID 1920 wrote to memory of 524	1920	purchase order.pdf.exe	schtasks.exe
PID 1920 wrote to memory of 524	1920	purchase order.pdf.exe	schtasks.exe
PID 1920 wrote to memory of 524	1920	purchase order.pdf.exe	schtasks.exe
PID 1920 wrote to memory of 524	1920	purchase order.pdf.exe	schtasks.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe
PID 1920 wrote to memory of 1732	1920	purchase order.pdf.exe	purchase order.pdf.exe

C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HZJUoSTieh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5300.tmp"
2⤵
- Creates scheduled task(s)
PID:524

C:\Users\Admin\AppData\Local\Temp\purchase order.pdf.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5300.tmp
MD5
b3486de850e77f78814bef354ead2bf2

SHA1
c95be71c82edf866ce838f1fa82f191b6a75aa8d

SHA256
8b5fa58f080f1865ccc0d3f22d36a543a5b442d6f1ac8df29446124bcd79cd77

SHA512
a7732a14974a1fb5770a4824356b44de099de750512354dfbcc5a14854d61aabc3a4dbb492e4cf40090c984f1df14dd5d9671d135369d05e9a2ac65cb1c22856

Download Submit
memory/524-65-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1732-68-0x00000000004139DE-mapping.dmp

Download
memory/1732-69-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1732-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1920-59-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1920-61-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/1920-62-0x0000000000640000-0x0000000000642000-memory.dmp

Filesize
8KB

Download
memory/1920-63-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/1920-64-0x00000000006D0000-0x00000000006ED000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads