lokibot | dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb

General

Target

dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe
Size

235KB
MD5

e3e088fc838eedef856bd24f1b73e0f8
SHA1

953c733031c82439544ced04e3f6ca45c8a3a19c
SHA256

dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb
SHA512

afb75a2b4fe95b565f8766a5354d9aab67580e8c9a3fde0fecf3f9c58eec0728320bbd94c981919a383c8c4ee21a73d505a8fd1c336bb3f0bf18389399eaa052

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://furnaceshst.net/ge3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1124	rzfshhfrf.exe
1984	rzfshhfrf.exe

Loads dropped DLL 3 IoCs

pid	Process
1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe
1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe
1124	rzfshhfrf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rzfshhfrf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rzfshhfrf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rzfshhfrf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 1984	1124	rzfshhfrf.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	rzfshhfrf.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1124	1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe	27
PID 1148 wrote to memory of 1124	1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe	27
PID 1148 wrote to memory of 1124	1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe	27
PID 1148 wrote to memory of 1124	1148	dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe	27
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28
PID 1124 wrote to memory of 1984	1124	rzfshhfrf.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rzfshhfrf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rzfshhfrf.exe

C:\Users\Admin\AppData\Local\Temp\dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe
"C:\Users\Admin\AppData\Local\Temp\dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe
  C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe C:\Users\Admin\AppData\Local\Temp\lxlmwps
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe
    C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe C:\Users\Admin\AppData\Local\Temp\lxlmwps
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ate3i7wdivagh1sh8s

Filesize
210KB

MD5
e632e06b903981aa011f49a10262b00f

SHA1
91ad506971c1c14960c24184d1a91c1428725f09

SHA256
fbd86eb147c1626c0f0280275e4f1a9e8d46590c5718907d1336fb223ea20af7

SHA512
9da370dc4b75db290007d1c3b6531ec97db66d47046e665ca59cc55a87d26c23953fdaea0c0cf1eba01f6147db5e4de11d7ec7dbf6050ea874db6d1840e4611f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxlmwps

Filesize
5KB

MD5
b0bb98ff65304235f296c27bab2388cb

SHA1
15d60d51de4b5fd062f0e8f25b31a098ef76104f

SHA256
2400ddcc0902303277d0c591c4c4e3ecdb01f5a494b2758968e0143bc90a98b1

SHA512
83d17c0dbc94d041d7d301f248d52b2c1c11b7f406dde5513133d40a14bfda7cb76bb305925b9d80dedc493eba1238e0aac73a3479d013da5dd61fe85e30a5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
\Users\Admin\AppData\Local\Temp\rzfshhfrf.exe

Filesize
4KB

MD5
d12297f8de40bf8da9a2dd67355e4b1c

SHA1
2ed659f80831dfa91ff2dd27439a259481f4e74d

SHA256
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a

SHA512
039180b7da6efa1e2ad21143deda16ca882828240887f59f5a7bcf6204979b5cdccaafc3933c77590353de11cb32482c90998fe1dd7cb05d3c08a0e5c6608901

Download Submit
memory/1148-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1984-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1984-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing