lokibot | fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4

General

Target

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Size

664KB
MD5

b24c429ee0694dca6112612cb527f9b8
SHA1

b3cdd9f596f41c32a89e7e4aa0fcc2f653232058
SHA256

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4
SHA512

4b6c2212966be767b4974b9cb6d6c53bef9ee20ecc7a42a5bf9f7251e3f32dfed9d35498ea0d1e601083aea77b26c9f50beacd1ba9b75fb8dbe60b816793f8e4

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sudais.com.pk/oo/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	pid	process	target process
PID 1756 set thread context of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1624 PING.EXE
1308 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

pid process

1516 powershell.exe
664 powershell.exe
1756 fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

pid	process
1624	PING.EXE
1308	PING.EXE

pid	process
1516	powershell.exe
664	powershell.exe
1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	pid	process
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Token: SeDebugPrivilege	296	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1756 wrote to memory of 1516	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 1516	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 1516	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 1516	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1516 wrote to memory of 1624	1516	powershell.exe	PING.EXE
PID 1516 wrote to memory of 1624	1516	powershell.exe	PING.EXE
PID 1516 wrote to memory of 1624	1516	powershell.exe	PING.EXE
PID 1516 wrote to memory of 1624	1516	powershell.exe	PING.EXE
PID 1756 wrote to memory of 664	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 664	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 664	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1756 wrote to memory of 664	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 664 wrote to memory of 1308	664	powershell.exe	PING.EXE
PID 664 wrote to memory of 1308	664	powershell.exe	PING.EXE
PID 664 wrote to memory of 1308	664	powershell.exe	PING.EXE
PID 664 wrote to memory of 1308	664	powershell.exe	PING.EXE
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 1756 wrote to memory of 296	1756	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

outlook_office_path 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

outlook_win_path 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
"C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com
    3⤵
    - Runs ping.exe
    PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\SysWOW64\PING.EXE
    "C:\Windows\system32\PING.EXE" bing.com
    3⤵
    - Runs ping.exe
    PID:1308
- C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
  C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
f04a68b6329e43e6a4c12b3086b3387f

SHA1
cf4ea448fe1b36d87c64ebd26d063d16e300b644

SHA256
dfe401566f9505c0c24f99751bcbb5a7e6851e3c15b2139d95175742bbda01ec

SHA512
5baa6e38ee441f1660469d39f461b9b66f4bf1edd018336d7d1116dee123d340a15e5596b34ea87855dabd18774301761546bc2aaa4d738ee18ba00f9cb1bce8

Download Submit
memory/296-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-78-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-76-0x00000000004139DE-mapping.dmp

Download
memory/296-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-75-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/296-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/664-63-0x0000000000000000-mapping.dmp

Download
memory/1308-66-0x0000000000000000-mapping.dmp

Download
memory/1516-61-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1516-59-0x0000000000000000-mapping.dmp

Download
memory/1624-62-0x0000000000000000-mapping.dmp

Download
memory/1756-69-0x0000000001090000-0x00000000010AB000-memory.dmp

Filesize
108KB

Download
memory/1756-68-0x00000000005E5000-0x00000000005F6000-memory.dmp

Filesize
68KB

Download
memory/1756-67-0x0000000004E10000-0x0000000004E80000-memory.dmp

Filesize
448KB

Download
memory/1756-55-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1756-58-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1756-57-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads