lokibot | a1fe7846c377b67e98dcb11b0a87dd9f1f994c1910caeaa6ce53402bbcb6f444

General

Target

QUOTATIOLIST 1 AND 2#20210624.exe
Size

1.1MB
MD5

88acc19bb5aeadde7e02503b6aa22906
SHA1

941f2c07764b1d1c95fff900e89458472c90678e
SHA256

a1fe7846c377b67e98dcb11b0a87dd9f1f994c1910caeaa6ce53402bbcb6f444
SHA512

9875fb5690ac52ae403d5de7e9eb3eb5bdfd124966c5c7e7e5421724e9cab0683b7a4b71faa077fa830d2583a167658e0d78cf86dde3858d3f15a9097359686d

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://apponline97.ir/china/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

description pid process target process

PID 1964 set thread context of 1380 1964 QUOTATIOLIST 1 AND 2#20210624.exe QUOTATIOLIST 1 AND 2#20210624.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

340 schtasks.exe

description	pid	process	target process
PID 1964 set thread context of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe

pid	process
340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

pid	process
1964	QUOTATIOLIST 1 AND 2#20210624.exe
1964	QUOTATIOLIST 1 AND 2#20210624.exe
1964	QUOTATIOLIST 1 AND 2#20210624.exe
1964	QUOTATIOLIST 1 AND 2#20210624.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

pid process

1380 QUOTATIOLIST 1 AND 2#20210624.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exeQUOTATIOLIST 1 AND 2#20210624.exe

description pid process

Token: SeDebugPrivilege 1964 QUOTATIOLIST 1 AND 2#20210624.exe
Token: SeDebugPrivilege 1380 QUOTATIOLIST 1 AND 2#20210624.exe

pid	process
1380	QUOTATIOLIST 1 AND 2#20210624.exe

description	pid	process
Token: SeDebugPrivilege	1964	QUOTATIOLIST 1 AND 2#20210624.exe
Token: SeDebugPrivilege	1380	QUOTATIOLIST 1 AND 2#20210624.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yinyHQaURQph" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp"
2⤵
- Creates scheduled task(s)
PID:340

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
2⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp
MD5
9d15b5623d650a97b3cc3b6255b9e6d5

SHA1
3277e84cb8fe21850fbdbbd6a38ca4c2f2bb17be

SHA256
e7b6a6b2634620c87d0e7fe6cba79032415dbefc479c082a5f1f7bc40542c5d3

SHA512
6ca44972b9cfd8b3ffcb0529eaf74f9ad9abe163fff23ef1acd23a590e7d0ded9a7aaa88cb6b89cc59661a176f1f3d2e11ba3677a87374e674413d74126dcbfd

Download Submit
memory/340-65-0x0000000000000000-mapping.dmp

Download
memory/1380-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1380-68-0x00000000004139DE-mapping.dmp

Download
memory/1380-69-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1380-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1964-59-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1964-61-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/1964-62-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1964-63-0x0000000004F00000-0x0000000004F68000-memory.dmp

Filesize
416KB

Download
memory/1964-64-0x0000000004810000-0x0000000004840000-memory.dmp

Filesize
192KB

Download

description	pid	process	target process
PID 1964 wrote to memory of 340	1964	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 1964 wrote to memory of 340	1964	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 1964 wrote to memory of 340	1964	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 1964 wrote to memory of 340	1964	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 1964 wrote to memory of 1644	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1644	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1644	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1644	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1384	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1384	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1384	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1384	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 1964 wrote to memory of 1380	1964	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads