lokibot | 80dbbe2c5ad64fb800afeafa013939c7d13cafb0568b64750b4048a51700110b

General

Target

FATURA DHL.exe
Size

915KB
MD5

97902789babf5acb6b2e1a2bf34f026d
SHA1

9d51d7393bfd5eb16a81b2d304267267d25a24c4
SHA256

80dbbe2c5ad64fb800afeafa013939c7d13cafb0568b64750b4048a51700110b
SHA512

f2ee4eaf132f6840299de1381a768f1b5a2fce91cd6b73758bf9c5157e698d92b7876a638b61a3bba8b4c8fcba0ce53a90e2c3fd0fbdff9d74012f129ce266b8

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/a5iPuKTGakcLJ

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

FATURA DHL.exe

description pid process target process

PID 520 set thread context of 1484 520 FATURA DHL.exe FATURA DHL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FATURA DHL.exe

pid process

520 FATURA DHL.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

FATURA DHL.exe

pid process

1484 FATURA DHL.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

FATURA DHL.exeFATURA DHL.exe

description pid process

Token: SeDebugPrivilege 520 FATURA DHL.exe
Token: SeDebugPrivilege 1484 FATURA DHL.exe

description	pid	process	target process
PID 520 set thread context of 1484	520	FATURA DHL.exe	FATURA DHL.exe

pid	process
1432	schtasks.exe

pid	process
520	FATURA DHL.exe

pid	process
1484	FATURA DHL.exe

description	pid	process
Token: SeDebugPrivilege	520	FATURA DHL.exe
Token: SeDebugPrivilege	1484	FATURA DHL.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

FATURA DHL.exe

description	pid	process	target process
PID 520 wrote to memory of 1432	520	FATURA DHL.exe	schtasks.exe
PID 520 wrote to memory of 1432	520	FATURA DHL.exe	schtasks.exe
PID 520 wrote to memory of 1432	520	FATURA DHL.exe	schtasks.exe
PID 520 wrote to memory of 1432	520	FATURA DHL.exe	schtasks.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe
PID 520 wrote to memory of 1484	520	FATURA DHL.exe	FATURA DHL.exe

C:\Users\Admin\AppData\Local\Temp\FATURA DHL.exe
"C:\Users\Admin\AppData\Local\Temp\FATURA DHL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\beQchgpYlZnYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA77.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\FATURA DHL.exe
  "{path}"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDA77.tmp

MD5
150b7e13337f67fe70375d8484658cdf

SHA1
2c9399f5ba81c7e0bd72c9d0bffcd81798e398ad

SHA256
894b38574c3a440d50f0261b94b9119b4ade2d8615023bfd54f9423f2c6b6e77

SHA512
16de9dd293d3ccdbf46eb94265e2b536ef76cdcf8b761ff69975199434487e2c7c624bd22866ef3375e10111bb2c74d39bb7911e9b8095f28a7b89beb89e158c

Download Submit
memory/520-59-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/520-61-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/520-62-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/520-63-0x0000000007F80000-0x0000000008027000-memory.dmp

Filesize
668KB

Download
memory/520-64-0x0000000004E70000-0x0000000004ECB000-memory.dmp

Filesize
364KB

Download
memory/1432-65-0x0000000000000000-mapping.dmp

Download
memory/1484-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1484-68-0x00000000004139DE-mapping.dmp

Download
memory/1484-69-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1484-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads