lokibot | 4416b3d0dd3d1d8566cfb279b45c4f1ec653de8f5a133f9e85e755693eb88d8b

General

Target

3f22a041fe7e94d7147c2a328a09129b.exe
Size

349KB
MD5

3f22a041fe7e94d7147c2a328a09129b
SHA1

68ddeba66cc412548445a9b1ce693ebd0f6ca936
SHA256

4416b3d0dd3d1d8566cfb279b45c4f1ec653de8f5a133f9e85e755693eb88d8b
SHA512

6b1c5181e01d5d6a377214d48b146b9565428489c89716b2e905a9588af599f66302c858fa03fdaf33ccfcb58c18f9c40c402470097c657846ea61f06a25f963

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/fx/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Loads dropped DLL 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

pid process

4340 3f22a041fe7e94d7147c2a328a09129b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4340	3f22a041fe7e94d7147c2a328a09129b.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	3f22a041fe7e94d7147c2a328a09129b.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	3f22a041fe7e94d7147c2a328a09129b.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	3f22a041fe7e94d7147c2a328a09129b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description pid process target process

PID 4340 set thread context of 3044 4340 3f22a041fe7e94d7147c2a328a09129b.exe 3f22a041fe7e94d7147c2a328a09129b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

pid process

3044 3f22a041fe7e94d7147c2a328a09129b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description pid process

Token: SeDebugPrivilege 3044 3f22a041fe7e94d7147c2a328a09129b.exe

description	pid	process	target process
PID 4340 set thread context of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe

pid	process
3044	3f22a041fe7e94d7147c2a328a09129b.exe

description	pid	process
Token: SeDebugPrivilege	3044	3f22a041fe7e94d7147c2a328a09129b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description	pid	process	target process
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe
PID 4340 wrote to memory of 3044	4340	3f22a041fe7e94d7147c2a328a09129b.exe	3f22a041fe7e94d7147c2a328a09129b.exe

outlook_office_path 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	3f22a041fe7e94d7147c2a328a09129b.exe

outlook_win_path 1 IoCs

Processes:

3f22a041fe7e94d7147c2a328a09129b.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	3f22a041fe7e94d7147c2a328a09129b.exe

C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe
"C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4340

C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe
"C:\Users\Admin\AppData\Local\Temp\3f22a041fe7e94d7147c2a328a09129b.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsqC48A.tmp\vzvocxc.dll
MD5
210270c72881a79f2e1cbe2f67a1cf3b

SHA1
25d413c9bc84820013ef81d1b7fc0915eb85d3c8

SHA256
d68a67f7f021ad2b19c175bb5c5ecb4f1e3c81ced3defa5cf62f30f15cebe4c5

SHA512
0197f8d556908bcf54ae10909201c4cbbfe53bd42f4b98d5ee2e44d3b08040dd26f3b56e65f2bfbfd9c1075081821a89200c6ac975798d7007cb71edd5a754d6

Download Submit
memory/3044-116-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3044-117-0x00000000004139DE-mapping.dmp

Download
memory/3044-118-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads