lokibot | 3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55

General

Target

3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe
Size

178KB
MD5

98a602591bf121ef9282ce623291a941
SHA1

0c54e2ccbb64815c9e981af8e35feec1efedbd2c
SHA256

3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55
SHA512

83f5af0bdc87f88056abd03eb7dab32e6a21204ec9bb8b8ce328f3ea9c7ab7e764b1cf358ad16dbb7c1016847fadc029e248420f8298927ad8e9b364140f2aa6

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://neduskyy.buzz/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

isjknie.exeisjknie.exe

pid process

4064 isjknie.exe
544 isjknie.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4064	isjknie.exe
544	isjknie.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

isjknie.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	isjknie.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	isjknie.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	isjknie.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

isjknie.exe

description pid process target process

PID 4064 set thread context of 544 4064 isjknie.exe isjknie.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

isjknie.exe

description pid process

Token: SeDebugPrivilege 544 isjknie.exe

description	pid	process	target process
PID 4064 set thread context of 544	4064	isjknie.exe	isjknie.exe

description	pid	process
Token: SeDebugPrivilege	544	isjknie.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exeisjknie.exe

description	pid	process	target process
PID 4700 wrote to memory of 4064	4700	3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe	isjknie.exe
PID 4700 wrote to memory of 4064	4700	3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe	isjknie.exe
PID 4700 wrote to memory of 4064	4700	3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe
PID 4064 wrote to memory of 544	4064	isjknie.exe	isjknie.exe

outlook_office_path 1 IoCs

Processes:

isjknie.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	isjknie.exe

outlook_win_path 1 IoCs

Processes:

isjknie.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	isjknie.exe

C:\Users\Admin\AppData\Local\Temp\3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe
"C:\Users\Admin\AppData\Local\Temp\3c5103c77675f880bf0922121845f60f155d06eae43f7519c4916bb3196b8e55.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\isjknie.exe
  C:\Users\Admin\AppData\Local\Temp\isjknie.exe C:\Users\Admin\AppData\Local\Temp\dnuvdnmsaw
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\isjknie.exe
    C:\Users\Admin\AppData\Local\Temp\isjknie.exe C:\Users\Admin\AppData\Local\Temp\dnuvdnmsaw
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dnuvdnmsaw

Filesize
5KB

MD5
1a1915f0244e7fbaeed2c81ff9ca6dd0

SHA1
3f8a75a01bc9021a8d1905df7af7bdde896eafa0

SHA256
40b367418a2bebb1c5cc1714f09169b5b246f19b833d9fae5bbbeb626510a291

SHA512
12efa0dc87a2132a5404ec72b2a49f4cb2f602c270551bcbb84bb9d09a213d89276554a21a0e7dd7d3b5bf30bf52bafaec7938142f11029358fae21c781c6ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\isjknie.exe

Filesize
74KB

MD5
eb67169bcda3522e0f5d2c88404782da

SHA1
57d9516f8d3f5fd3762daee92aceb5d8f2eb52d4

SHA256
b96c0d5bec449333eb2183c7e9bc3c224d9b5f6c3d2730a5de47b966774c69ec

SHA512
45061c1f52c47644ea2009507976b4ebbd8594c421034103b6143d379cd41aa65eadcb21f073f40e0e6ffbe461b4f79c7d2f825a9f8c68b9623a6144680dec51

Download Submit
C:\Users\Admin\AppData\Local\Temp\isjknie.exe

Filesize
74KB

MD5
eb67169bcda3522e0f5d2c88404782da

SHA1
57d9516f8d3f5fd3762daee92aceb5d8f2eb52d4

SHA256
b96c0d5bec449333eb2183c7e9bc3c224d9b5f6c3d2730a5de47b966774c69ec

SHA512
45061c1f52c47644ea2009507976b4ebbd8594c421034103b6143d379cd41aa65eadcb21f073f40e0e6ffbe461b4f79c7d2f825a9f8c68b9623a6144680dec51

Download Submit
C:\Users\Admin\AppData\Local\Temp\isjknie.exe

Filesize
74KB

MD5
eb67169bcda3522e0f5d2c88404782da

SHA1
57d9516f8d3f5fd3762daee92aceb5d8f2eb52d4

SHA256
b96c0d5bec449333eb2183c7e9bc3c224d9b5f6c3d2730a5de47b966774c69ec

SHA512
45061c1f52c47644ea2009507976b4ebbd8594c421034103b6143d379cd41aa65eadcb21f073f40e0e6ffbe461b4f79c7d2f825a9f8c68b9623a6144680dec51

Download Submit
C:\Users\Admin\AppData\Local\Temp\mltq8b9uoa

Filesize
103KB

MD5
7e4cbba5fae652ecd6306ce9e31c26b1

SHA1
4fcd7bb6fd0aa3fb221ed1578214a6d8c443c4bb

SHA256
1ebfc5ab45ed11615688142ad7c7ecf45fb3847cc8fd8a58488a32aff8547f38

SHA512
a909b3b6cb6cf6574fc84b1b4683055e8099613a3886265006d55cd03ecf020ec54a5fac6630d2091942f7ce571695440611c65e674ddd5d2041e26f881af1bc

Download Submit
memory/544-135-0x0000000000000000-mapping.dmp

Download
memory/544-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/544-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/544-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4064-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads