lokibot | fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4

General

Target

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Size

664KB
MD5

b24c429ee0694dca6112612cb527f9b8
SHA1

b3cdd9f596f41c32a89e7e4aa0fcc2f653232058
SHA256

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4
SHA512

4b6c2212966be767b4974b9cb6d6c53bef9ee20ecc7a42a5bf9f7251e3f32dfed9d35498ea0d1e601083aea77b26c9f50beacd1ba9b75fb8dbe60b816793f8e4

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sudais.com.pk/oo/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	pid	process	target process
PID 4080 set thread context of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2212 PING.EXE
3160 PING.EXE

pid	process
2212	PING.EXE
3160	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

pid	process
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

pid process

2304 fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

pid	process
2304	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exefee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	pid	process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
Token: SeDebugPrivilege	2304	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4080 wrote to memory of 1196	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 4080 wrote to memory of 1196	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 4080 wrote to memory of 1196	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 1196 wrote to memory of 2212	1196	powershell.exe	PING.EXE
PID 1196 wrote to memory of 2212	1196	powershell.exe	PING.EXE
PID 1196 wrote to memory of 2212	1196	powershell.exe	PING.EXE
PID 4080 wrote to memory of 2068	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 4080 wrote to memory of 2068	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 4080 wrote to memory of 2068	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	powershell.exe
PID 2068 wrote to memory of 3160	2068	powershell.exe	PING.EXE
PID 2068 wrote to memory of 3160	2068	powershell.exe	PING.EXE
PID 2068 wrote to memory of 3160	2068	powershell.exe	PING.EXE
PID 4080 wrote to memory of 1412	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 1412	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 1412	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
PID 4080 wrote to memory of 2304	4080	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

outlook_office_path 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

outlook_win_path 1 IoCs

Processes:

fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe

C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
"C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" bing.com
3⤵
- Runs ping.exe
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping bing.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" bing.com
3⤵
- Runs ping.exe
PID:3160

C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
C:\Users\Admin\AppData\Local\Temp\fee0780cf99da7110b447206c6ab6a3edd658fc2c004c876b22d8194594265f4.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
03f9bd0c432f2dc23e3e16af1df73746

SHA1
e0464e90ee5fab32bf550ed6756e43cdbf7925fc

SHA256
c2925faf37c01ab8599231e8839e1e21e327652484d1e889e75e82b195bf2222

SHA512
4b34a6c45f9bdd6ed7d0725b7e4c7b9f3b48b045fdb4d56eb82e4c62cb1dea3ed52cd03b85418ba98cbd1276be3b0fb24be6d0a779e4c9c57438f314ec631992

Download Submit
memory/1196-137-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/1196-134-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/1196-153-0x0000000004B84000-0x0000000004B86000-memory.dmp

Filesize
8KB

Download
memory/1196-139-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1196-125-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1196-126-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/1196-127-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1196-128-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/1196-129-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1196-130-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/1196-131-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1196-132-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/1196-133-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/1196-151-0x0000000004B83000-0x0000000004B84000-memory.dmp

Filesize
4KB

Download
memory/1196-135-0x0000000008310000-0x0000000008311000-memory.dmp

Filesize
4KB

Download
memory/1196-136-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/1196-124-0x0000000000000000-mapping.dmp

Download
memory/2068-163-0x0000000004FF4000-0x0000000004FF6000-memory.dmp

Filesize
8KB

Download
memory/2068-162-0x0000000004FF3000-0x0000000004FF4000-memory.dmp

Filesize
4KB

Download
memory/2068-159-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2068-142-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2068-143-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2068-156-0x0000000004FF2000-0x0000000004FF3000-memory.dmp

Filesize
4KB

Download
memory/2068-155-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2068-140-0x0000000000000000-mapping.dmp

Download
memory/2212-138-0x0000000000000000-mapping.dmp

Download
memory/2304-166-0x00000000004139DE-mapping.dmp

Download
memory/2304-165-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2304-167-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3160-158-0x0000000000000000-mapping.dmp

Download
memory/4080-120-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/4080-121-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4080-160-0x0000000007DD0000-0x0000000007E40000-memory.dmp

Filesize
448KB

Download
memory/4080-122-0x0000000005090000-0x000000000558E000-memory.dmp

Filesize
5.0MB

Download
memory/4080-118-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4080-164-0x0000000007A50000-0x0000000007A6B000-memory.dmp

Filesize
108KB

Download
memory/4080-123-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads