lokibot | 1358629ee5a2a95f315fde2b02b2a406a66410c8f3a041211fe85c797692c93c

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7v20210408
submitted
24-06-2021 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
Size

791KB
MD5

5d651714669a45db84939208acf9b50d
SHA1

db771f2ef555c278169d0dac547394cc133eb648
SHA256

1358629ee5a2a95f315fde2b02b2a406a66410c8f3a041211fe85c797692c93c
SHA512

576c38b751602197d53cb8a55fc3e8718b65316b2fc53a8a49c35e800a1d83c905ea043d36cdda2ee3b1a23ab07d13452dbb046bbf1b125d3bbb872b785eb40c

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://63.141.228.141/32.php/fn1ToJTMzu3Td

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

https://www.tepevizyon.com.tr/xx/Panel/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 3 IoCs

Processes:

Ladudaqconsoleapp8m.exeLadudaqconsoleapp8m.exeLadudaqconsoleapp8m.exe

pid process

1524 Ladudaqconsoleapp8m.exe
1544 Ladudaqconsoleapp8m.exe
1580 Ladudaqconsoleapp8m.exe
Loads dropped DLL 3 IoCs

Processes:

WScript.exeLadudaqconsoleapp8m.exe

pid process

1324 WScript.exe
1524 Ladudaqconsoleapp8m.exe
1524 Ladudaqconsoleapp8m.exe

pid	process
1524	Ladudaqconsoleapp8m.exe
1544	Ladudaqconsoleapp8m.exe
1580	Ladudaqconsoleapp8m.exe

pid	process
1324	WScript.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exeLadudaqconsoleapp8m.exe

description	pid	process	target process
PID 792 set thread context of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 1524 set thread context of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exeLadudaqconsoleapp8m.exe

pid	process
792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe
1524	Ladudaqconsoleapp8m.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe

pid process

1312 Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe

pid	process
1312	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exeCustomer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exeLadudaqconsoleapp8m.exeLadudaqconsoleapp8m.exe

description	pid	process
Token: SeDebugPrivilege	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
Token: SeDebugPrivilege	1312	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
Token: SeDebugPrivilege	1524	Ladudaqconsoleapp8m.exe
Token: SeDebugPrivilege	1580	Ladudaqconsoleapp8m.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exeWScript.exeLadudaqconsoleapp8m.exe

description	pid	process	target process
PID 792 wrote to memory of 1324	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	WScript.exe
PID 792 wrote to memory of 1324	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	WScript.exe
PID 792 wrote to memory of 1324	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	WScript.exe
PID 792 wrote to memory of 1324	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	WScript.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 792 wrote to memory of 1312	792	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe	Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
PID 1324 wrote to memory of 1524	1324	WScript.exe	Ladudaqconsoleapp8m.exe
PID 1324 wrote to memory of 1524	1324	WScript.exe	Ladudaqconsoleapp8m.exe
PID 1324 wrote to memory of 1524	1324	WScript.exe	Ladudaqconsoleapp8m.exe
PID 1324 wrote to memory of 1524	1324	WScript.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1544	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1544	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1544	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1544	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe
PID 1524 wrote to memory of 1580	1524	Ladudaqconsoleapp8m.exe	Ladudaqconsoleapp8m.exe

C:\Users\Admin\AppData\Local\Temp\Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bakyzxtncsftio.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
"C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
4⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Customer Advisory - Notice of implementing Congestion surcharge (CGD) (1).pdf.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bakyzxtncsftio.vbs
MD5
ad4c9fd3751187f271054a329048c002

SHA1
d4b25b3804ce41703dfb20be53cdbc13d879adfc

SHA256
ed4abed29e979acce477cc5ed435bb2c6d8a1401f75d95ec404b13fb22ee400a

SHA512
c590450c216acc6bf80a1eae94808f0a14042c8bea8b00ab2289957bb21b6704713b13e9fe293a3305cea6a4e618404e43856451807856fad096e9cf476ceaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
C:\Users\Admin\AppData\Roaming\6D26FE\EDB2FC.hdb
MD5
6e5991ad90048a48f15753189db599f6

SHA1
40b28a210d8579ea0b49c1c79351ff45db5f1e01

SHA256
57151d64d3b54250d35016c2146be081d2692976edc824233d5556b973ff80d7

SHA512
4347af77f90c2ca1ea4a66acc7d4005322fbe41f719c8edbe3a4dfc4188912c0f550da155ed2637ad060960ea2f45dee15f1e341c05c702995f040a09ceada87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\0f5007522459c86e95ffcc62f32308f1_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
\Users\Admin\AppData\Local\Temp\Ladudaqconsoleapp8m.exe
MD5
9e3dafee08217b05a6217c55ac4cee5e

SHA1
750a6b986fab11df9eef9a91a434171f48705599

SHA256
969023d5e0b8e904e5dd9b9fe9a819aaa068ec62bd33bb7d6118c4e4199572e7

SHA512
276a2381a88b79d03db2530867145566433a6a9534c91043f259685736a9a5c9f0e702e32e6d054d2dbc8b75b48e6b1c140f0259dbdd12d6d3ff47ae812b0dd2

Download Submit
memory/792-62-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/792-63-0x0000000004EE0000-0x0000000004F7D000-memory.dmp

Filesize
628KB

Download
memory/792-68-0x0000000007FA0000-0x0000000008051000-memory.dmp

Filesize
708KB

Download
memory/792-60-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/1312-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1312-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1312-73-0x00000000004139DE-mapping.dmp

Download
memory/1324-71-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1324-69-0x0000000000000000-mapping.dmp

Download
memory/1524-88-0x0000000004860000-0x00000000048C1000-memory.dmp

Filesize
388KB

Download
memory/1524-83-0x0000000000910000-0x000000000095B000-memory.dmp

Filesize
300KB

Download
memory/1524-82-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1524-79-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1524-77-0x0000000000000000-mapping.dmp

Download
memory/1580-92-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1580-93-0x00000000004139DE-mapping.dmp

Download
memory/1580-96-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download