lokibot | f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0

General

Target

f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
Size

179KB
MD5

2046818de1e5556e217bf35c2ae6391d
SHA1

675bd42bdeb7867d0d60f5f59288fdd8fa7d04d6
SHA256

f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0
SHA512

58665c8d8ac018c298f14d4441a3377178b573db3b62cc8a12ef74437a5bf9cef61f30c3ec8caa12830b21a23dfd4643182c3638bd275a854c4f7f174f124996

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://panel-report-logs.ml/alhaji/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

ntkuk.exentkuk.exe

pid process

912 ntkuk.exe
848 ntkuk.exe

pid	process
912	ntkuk.exe
848	ntkuk.exe

Loads dropped DLL 3 IoCs

Processes:

f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exentkuk.exe

pid	process
1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
912	ntkuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ntkuk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ntkuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ntkuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ntkuk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ntkuk.exe

description pid process target process

PID 912 set thread context of 848 912 ntkuk.exe ntkuk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ntkuk.exe

description pid process

Token: SeDebugPrivilege 848 ntkuk.exe

description	pid	process	target process
PID 912 set thread context of 848	912	ntkuk.exe	ntkuk.exe

description	pid	process
Token: SeDebugPrivilege	848	ntkuk.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exentkuk.exe

description	pid	process	target process
PID 1036 wrote to memory of 912	1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe	ntkuk.exe
PID 1036 wrote to memory of 912	1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe	ntkuk.exe
PID 1036 wrote to memory of 912	1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe	ntkuk.exe
PID 1036 wrote to memory of 912	1036	f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe
PID 912 wrote to memory of 848	912	ntkuk.exe	ntkuk.exe

outlook_office_path 1 IoCs

Processes:

ntkuk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ntkuk.exe

outlook_win_path 1 IoCs

Processes:

ntkuk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ntkuk.exe

C:\Users\Admin\AppData\Local\Temp\f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe
"C:\Users\Admin\AppData\Local\Temp\f70ec28e2a91f35a01a45d2083c4442b33a7c32224fab7238a7ee9e3ccbed4d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\ntkuk.exe
  C:\Users\Admin\AppData\Local\Temp\ntkuk.exe C:\Users\Admin\AppData\Local\Temp\iafgzafbz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\ntkuk.exe
    C:\Users\Admin\AppData\Local\Temp\ntkuk.exe C:\Users\Admin\AppData\Local\Temp\iafgzafbz
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iafgzafbz

Filesize
5KB

MD5
2b9be0d630cc3af3fe253f99f64e9ab8

SHA1
e9b1b28ce00d6a6e37368bc22b74bc2bced9949f

SHA256
077740e9ed59531bac74a6704ff63036a99e5d53220da4d29070275674014349

SHA512
df069ba7dcb6e0fd5d5344ff57c04d3fe89cc9f8a2b0f3f92aaf9032c99add3d0a4fb283c2a0eb5f637ad6f9c53e2ec92e2465fadd7763e555a6fe3781572c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjs2s6fjqknboi2kmm9

Filesize
103KB

MD5
9dfc64f1441b8508b9b6d36abdb088bd

SHA1
2c8b69d770377dd0f02296cd9004b5846e9ba9a5

SHA256
bec04805ac096a68e6675e9d724eb4e443569947ea53c9646f4304fe9ce75b95

SHA512
a3303be799a3db698566ca84fce17dfe17d449ea1edf68a9c5776ee76622b6dfb9e2e109d574c1be382937649d9edda7b49c688ad7cf4090da203db3f7dba7ce

Download Submit
\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
\Users\Admin\AppData\Local\Temp\ntkuk.exe

Filesize
74KB

MD5
ccce4bbb22527fec2e48d87edd4796e7

SHA1
7f501ec74a916ee08f0610b08ce60043b52c14bc

SHA256
1b894e137e6efa31a608088c04b09874113b4037fa2f070d844aa4276bf01bd9

SHA512
8f7d3b1a41ae3abbb2af1c7dd7243cb0ad1c2b3ea8177f292f10aab4a268516aea9ff39746f6b67738afa166132387d4cf17dde3f407db0a559843f3774a2461

Download Submit
memory/848-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/848-65-0x00000000004139DE-mapping.dmp

Download
memory/848-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/848-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-57-0x0000000000000000-mapping.dmp

Download
memory/1036-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads