lokibot | f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818

General

Target

ORDER.exe
Size

789KB
MD5

b954b768fcdca7acd4a9e43715139650
SHA1

343bd24a325dfd24f7ccb0ece3052175c7187002
SHA256

f35a2268af460c9d1dd472608376c7877aca3b037e030ee6366d2e41a1f25818
SHA512

31994bbcfe804827574c2f9148768ceb8c120afbd0c0275b62448b83044c270982f11e813b83c65243782203279540a12eeba84fb67904e8a6b2c73ac7fa2001

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://192.119.111.43/smack/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDER.exe

description pid process target process

PID 656 set thread context of 2112 656 ORDER.exe ORDER.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3164 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ORDER.exe

pid process

656 ORDER.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ORDER.exe

pid process

2112 ORDER.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER.exeORDER.exe

description pid process

Token: SeDebugPrivilege 656 ORDER.exe
Token: SeDebugPrivilege 2112 ORDER.exe

description	pid	process	target process
PID 656 set thread context of 2112	656	ORDER.exe	ORDER.exe

pid	process
3164	schtasks.exe

pid	process
656	ORDER.exe

pid	process
2112	ORDER.exe

description	pid	process
Token: SeDebugPrivilege	656	ORDER.exe
Token: SeDebugPrivilege	2112	ORDER.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ORDER.exe

description	pid	process	target process
PID 656 wrote to memory of 3164	656	ORDER.exe	schtasks.exe
PID 656 wrote to memory of 3164	656	ORDER.exe	schtasks.exe
PID 656 wrote to memory of 3164	656	ORDER.exe	schtasks.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe
PID 656 wrote to memory of 2112	656	ORDER.exe	ORDER.exe

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XAOlwfcRy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EF2.tmp"
2⤵
- Creates scheduled task(s)
PID:3164

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8EF2.tmp
MD5
26409e246e2ae0a8171a0296345d50d6

SHA1
412a995e8a2781de477f42f4b2b8b1dcb8934705

SHA256
9610f88042ab1a1dabd160eb141a91f7301be7f264c618017de9ab190a01a9fd

SHA512
e030e54215a4c0334f39aa084a024b601540b8ab74e12f14f7fd5ac44952f78f80a020ab1dc73a8d306b05f35d3fdd1492e95a21790321a03f126ec475a4faee

Download Submit
memory/656-121-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/656-117-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/656-118-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/656-119-0x0000000007590000-0x0000000007A8E000-memory.dmp

Filesize
5.0MB

Download
memory/656-120-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/656-122-0x0000000009320000-0x00000000093A0000-memory.dmp

Filesize
512KB

Download
memory/656-123-0x0000000007A40000-0x0000000007A8D000-memory.dmp

Filesize
308KB

Download
memory/656-116-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/2112-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2112-127-0x00000000004139DE-mapping.dmp

Download
memory/2112-128-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3164-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads