lokibot | 6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb

Analysis

max time kernel
126s
max time network
128s
platform
windows7_x64
resource
win7-20220414-en
submitted
15-04-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
Size

1013KB
MD5

545559c861c015305849e49589c4b79a
SHA1

12a2138b370a95e96a4a6890154ce2c72744e13f
SHA256

6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb
SHA512

229ff2367c07146c4ce131c8709bf40857775a27687af8becd66744b3a0d97dfc94d159c621268c316829d486d204bb11363900154d8462306767ed8c551be3e

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://tranpip.com/tp/cat.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

Xcstmts.exe

pid process

1352 Xcstmts.exe

pid	process
1352	Xcstmts.exe

Loads dropped DLL 4 IoCs

Processes:

6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe

pid	process
880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

schtasks.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	schtasks.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	schtasks.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	schtasks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Xcstmts.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xcst = "C:\\Users\\Admin\\AppData\\Local\\Xcst\\Xcst_nekro.hta"	Xcstmts.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Xcstmts.exe

description pid process target process

PID 1352 set thread context of 824 1352 Xcstmts.exe schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Xcstmts.exe

pid process

1352 Xcstmts.exe
1352 Xcstmts.exe
1352 Xcstmts.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

schtasks.exe

description pid process

Token: SeDebugPrivilege 824 schtasks.exe

description	pid	process	target process
PID 1352 set thread context of 824	1352	Xcstmts.exe	schtasks.exe

pid	process
1352	Xcstmts.exe
1352	Xcstmts.exe
1352	Xcstmts.exe

description	pid	process
Token: SeDebugPrivilege	824	schtasks.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exeXcstmts.exe

description	pid	process	target process
PID 880 wrote to memory of 1352	880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe	Xcstmts.exe
PID 880 wrote to memory of 1352	880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe	Xcstmts.exe
PID 880 wrote to memory of 1352	880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe	Xcstmts.exe
PID 880 wrote to memory of 1352	880	6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe	Xcstmts.exe
PID 1352 wrote to memory of 1628	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1628	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1628	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1628	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1808	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1808	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1808	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1808	1352	Xcstmts.exe	cmd.exe
PID 1352 wrote to memory of 1704	1352	Xcstmts.exe	TapiUnattend.exe
PID 1352 wrote to memory of 1704	1352	Xcstmts.exe	TapiUnattend.exe
PID 1352 wrote to memory of 1704	1352	Xcstmts.exe	TapiUnattend.exe
PID 1352 wrote to memory of 1704	1352	Xcstmts.exe	TapiUnattend.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe
PID 1352 wrote to memory of 824	1352	Xcstmts.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

schtasks.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	schtasks.exe

outlook_win_path 1 IoCs

Processes:

schtasks.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe
"C:\Users\Admin\AppData\Local\Temp\6777083c576a129eb42e3ac80138ac4b8852c720c6d05767da257f87e063d7cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
"C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Runex.bat" "
3⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Runex.bat" "
3⤵
PID:1808

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcst
Filesize
721KB

MD5
70f2cc22082d396ac75431d5f8241121

SHA1
285a30a1a94a5c6e2292858a76c357b94c006a1d

SHA256
a4fc6e33c0739c9e218068b534494172abcd946b2ebef3de9d291104aafd2753

SHA512
fe20c9e6ee2d7b85bf0f17906e58035f68e28b689b4bc5cce05fc75fe6feaa1cc1bbb8ccdd956f7a90fb25a1b383faf75d906ccc4bf86d7c8037f9c5c1765921

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
C:\Users\Public\Runex.bat
Filesize
218B

MD5
d7f24191530a10f3e49687e5ff9e0f95

SHA1
151f7d9176ba8817db7742fb78c19ebb1e269979

SHA256
e57531f0e3d71eea881350799fb6c48bc93a221f2105fd6c0d82308731bb2ba7

SHA512
6282aa985e1d10d481f69f98dba6cbfd56afbce675359c76f13a2800a34bd2a2d48a70b81e5cac989accc3ec6001b5cd296be23d6ec80a083f63ab30584b55b4

Download Submit
C:\Users\Public\Runex.bat
Filesize
218B

MD5
d7f24191530a10f3e49687e5ff9e0f95

SHA1
151f7d9176ba8817db7742fb78c19ebb1e269979

SHA256
e57531f0e3d71eea881350799fb6c48bc93a221f2105fd6c0d82308731bb2ba7

SHA512
6282aa985e1d10d481f69f98dba6cbfd56afbce675359c76f13a2800a34bd2a2d48a70b81e5cac989accc3ec6001b5cd296be23d6ec80a083f63ab30584b55b4

Download Submit
C:\Users\Public\bcd.dll
Filesize
109KB

MD5
910a2047b5f9b0e17f8492a7710b9af0

SHA1
41a180328eec730744a69d7cdc239d965cbe66ee

SHA256
58b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896

SHA512
8b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0

Download Submit
C:\Users\Public\bcd.dll
Filesize
109KB

MD5
910a2047b5f9b0e17f8492a7710b9af0

SHA1
41a180328eec730744a69d7cdc239d965cbe66ee

SHA256
58b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896

SHA512
8b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0

Download Submit
C:\Windows \System32\bcd.dll
Filesize
109KB

MD5
910a2047b5f9b0e17f8492a7710b9af0

SHA1
41a180328eec730744a69d7cdc239d965cbe66ee

SHA256
58b4397835f6e39fb6fe01a1b1fc515b4823fd08254d82bef8f5b285144f7896

SHA512
8b49786bf9c3219e33cd121985ce8b123ebaa570f606aac0c8687f3c1f2a93e1dd2dad1b4e3a1d7dc3dee5b68b2e0c45f6bee1121655eaf652608ac9001deec0

Download Submit
\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
\Users\Admin\AppData\Local\Temp\Xcstc\Xcstmts.exe
Filesize
872KB

MD5
245dac1e438134b48ad3210c7c9e2afa

SHA1
e7b1f727c3f704c03c8f0e11270712c979893152

SHA256
fa550cd969cf07bf2ef79dd4532221c1a3ec85aa1337ddb6faf6e9c65207d734

SHA512
821c88191628c36daa33243f55b0baec26007d386fda63c70759c9dc7f4aef736b8009d323bad52267d2cbf20c6a2edee7e815aa5cd7c15918d47ab6f0b6fa0a

Download Submit
memory/824-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/824-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/824-74-0x00000000004139DE-mapping.dmp

Download
memory/824-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/824-78-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1352-59-0x0000000000000000-mapping.dmp

Download
memory/1628-64-0x0000000000000000-mapping.dmp

Download
memory/1808-67-0x0000000000000000-mapping.dmp

Download