lokibot | a1fe7846c377b67e98dcb11b0a87dd9f1f994c1910caeaa6ce53402bbcb6f444

General

Target

QUOTATIOLIST 1 AND 2#20210624.exe
Size

1.1MB
MD5

88acc19bb5aeadde7e02503b6aa22906
SHA1

941f2c07764b1d1c95fff900e89458472c90678e
SHA256

a1fe7846c377b67e98dcb11b0a87dd9f1f994c1910caeaa6ce53402bbcb6f444
SHA512

9875fb5690ac52ae403d5de7e9eb3eb5bdfd124966c5c7e7e5421724e9cab0683b7a4b71faa077fa830d2583a167658e0d78cf86dde3858d3f15a9097359686d

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://apponline97.ir/china/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

description pid process target process

PID 3984 set thread context of 4008 3984 QUOTATIOLIST 1 AND 2#20210624.exe QUOTATIOLIST 1 AND 2#20210624.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3356 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

pid process

4008 QUOTATIOLIST 1 AND 2#20210624.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

description pid process

Token: SeDebugPrivilege 4008 QUOTATIOLIST 1 AND 2#20210624.exe

description	pid	process	target process
PID 3984 set thread context of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe

pid	process
3356	schtasks.exe

pid	process
4008	QUOTATIOLIST 1 AND 2#20210624.exe

description	pid	process
Token: SeDebugPrivilege	4008	QUOTATIOLIST 1 AND 2#20210624.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

QUOTATIOLIST 1 AND 2#20210624.exe

description	pid	process	target process
PID 3984 wrote to memory of 3356	3984	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 3984 wrote to memory of 3356	3984	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 3984 wrote to memory of 3356	3984	QUOTATIOLIST 1 AND 2#20210624.exe	schtasks.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe
PID 3984 wrote to memory of 4008	3984	QUOTATIOLIST 1 AND 2#20210624.exe	QUOTATIOLIST 1 AND 2#20210624.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yinyHQaURQph" /XML "C:\Users\Admin\AppData\Local\Temp\tmp107B.tmp"
2⤵
- Creates scheduled task(s)
PID:3356

C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIOLIST 1 AND 2#20210624.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp107B.tmp
MD5
682fb6605b6052c73440c3a791380fd0

SHA1
2177328da62b879115482d4624aff80b8014d5f4

SHA256
33c7c0abd54d3151853a953f0377459d8a80bb1f85cdc719fc331c504a94c12c

SHA512
e0c97d175aebec39a61c948f51f8edd64bbffd324e230666e032d5fa898b32e743a3481df9e6b3e7af046e6ffe0b8d1ab7727f5ea604d591f9387b86531fcf73

Download Submit
memory/3356-125-0x0000000000000000-mapping.dmp

Download
memory/3984-121-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/3984-118-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3984-119-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3984-120-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3984-114-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3984-122-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/3984-123-0x00000000014D0000-0x0000000001538000-memory.dmp

Filesize
416KB

Download
memory/3984-124-0x0000000001140000-0x0000000001170000-memory.dmp

Filesize
192KB

Download
memory/3984-117-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3984-116-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/4008-127-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4008-128-0x00000000004139DE-mapping.dmp

Download
memory/4008-129-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads