lokibot | fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a

General

Target

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
Size

306KB
MD5

d0fc2f15a3a4e69b737217ee57b52d09
SHA1

ce4dffbc0a397d8464d3000b5ef931d352b2309a
SHA256

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a
SHA512

690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/fx/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Loads dropped DLL 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

pid process

1268 fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	pid	process	target process
PID 1268 set thread context of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

pid process

508 fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description pid process

Token: SeDebugPrivilege 508 fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

pid	process
508	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	pid	process
Token: SeDebugPrivilege	508	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	pid	process	target process
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
PID 1268 wrote to memory of 508	1268	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

outlook_office_path 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

outlook_win_path 1 IoCs

Processes:

fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe

C:\Users\Admin\AppData\Local\Temp\fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
"C:\Users\Admin\AppData\Local\Temp\fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe
  "C:\Users\Admin\AppData\Local\Temp\fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdC968.tmp\xdgcjrq.dll

MD5
c5e26cc7e87195f4fe60189e58f60371

SHA1
e9acc1ea2db931dbeb1f2f4aedd9c1fcef89fc3c

SHA256
bac4d9fc17676966d79a8d08df8b7a4e3bc524801d0bd9df09f18f22c6cce6a5

SHA512
642df9f87b94f3cd95003611fa19497e431647dec6dd1fc9b107b345c2c188c93625aca233037378cfbdb31036b8835c1fa3800c41abfc5ad78b336fab29a21a

Download Submit
memory/508-57-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/508-58-0x00000000004139DE-mapping.dmp

Download
memory/508-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-55-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads