lokibot | aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc

General

Target

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
Size

295KB
MD5

35e2bdf8ec69f9ca0bca535197a729de
SHA1

6992f51d8e4e8dae62bc2f6478a4adae7f9eba34
SHA256

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc
SHA512

7232e43463649487cae4a06ead56edc548563630f325e450a5681fe5cc39ffd1a2a6ae6ead666d0bf3d3f7263456f641912cf4fe7aea04e2478eaef534844038

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://hstfurnaces.net/bb/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

lkqovoiq.exelkqovoiq.exe

pid process

996 lkqovoiq.exe
816 lkqovoiq.exe

pid	process
996	lkqovoiq.exe
816	lkqovoiq.exe

Loads dropped DLL 3 IoCs

Processes:

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exelkqovoiq.exe

pid	process
1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
996	lkqovoiq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

lkqovoiq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lkqovoiq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	lkqovoiq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lkqovoiq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lkqovoiq.exe

description pid process target process

PID 996 set thread context of 816 996 lkqovoiq.exe lkqovoiq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lkqovoiq.exe

description pid process

Token: SeDebugPrivilege 816 lkqovoiq.exe

description	pid	process	target process
PID 996 set thread context of 816	996	lkqovoiq.exe	lkqovoiq.exe

description	pid	process
Token: SeDebugPrivilege	816	lkqovoiq.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exelkqovoiq.exe

description	pid	process	target process
PID 1036 wrote to memory of 996	1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1036 wrote to memory of 996	1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1036 wrote to memory of 996	1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 1036 wrote to memory of 996	1036	aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe
PID 996 wrote to memory of 816	996	lkqovoiq.exe	lkqovoiq.exe

outlook_office_path 1 IoCs

Processes:

lkqovoiq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lkqovoiq.exe

outlook_win_path 1 IoCs

Processes:

lkqovoiq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lkqovoiq.exe

C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe
"C:\Users\Admin\AppData\Local\Temp\aae4511c45c0254617b6fd19162092c32773bfbba5bbc406af64e782aa1f06dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe C:\Users\Admin\AppData\Local\Temp\ruskol
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
C:\Users\Admin\AppData\Local\Temp\od8kuhrmmzrp1u52np5i
MD5
10ca7fc53a9ebf555f4d2110d9e24249

SHA1
0ee055b5812d098634f607742137eec9100274c5

SHA256
602043eb658596d7531f615fe24f346bf9c81ed16c9dda45359c95ff1e7ef5a8

SHA512
5647279d8b96266dee1fbb3396ddd9c3599afa993e85ca42a66b5182d063469d30efe28a6d5536be2b20d86d69aa9dbd1391ffde8854fc8bf2c20c6b1719ad8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruskol
MD5
2a88e12b7471b4dd42f31e0aed15e05d

SHA1
6c5cc2242d9fb1b77f426b8495c98273326819dc

SHA256
cbfb83205cefb664bf19e3908137002c06c60d49520812e085e9ee8b402bae49

SHA512
77f6b0f29cf0e497730d62b6ec987496e9f02f36427e64f109e319f7534eb43f37314c63fbaa07ff721e9920a751097d577f6c729bccfc537885821e55da14d2

Download Submit
\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
\Users\Admin\AppData\Local\Temp\lkqovoiq.exe
MD5
c9181542b3c1392a8d68f14e677ccd42

SHA1
4b470322716c69aa8bf8bef98f3a73f90921c972

SHA256
9a66c5f412ffb74f4c9ad4954f74001ae241a225a3bc591aeb854c1296eed056

SHA512
2c12c2dc1861bd8d2b611d8ddeb6a92f9cadd93f5fed27042760a8dc9fe8fb08b6a7b7562ebff729c86f5a1b2f8d813ddce95476ac7ea87d4a54199199b4d621

Download Submit
memory/816-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/816-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/996-61-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1036-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads