lokibot | e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982

General

Target

e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
Size

123KB
MD5

e1463b97ee667e41750ae4531146df03
SHA1

2b45b7992c30e83bd067c694a5895149fa10cedc
SHA256

e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982
SHA512

b91034e21f7fa6a6b12883ef080f27173eb0524b1c160da4ad33abcd09ac0a9fdc8fa9817321c8823a89655afc40030dbb381eeaef410e34fd9c05ce4473243b

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://aboyox.xyz/aboy/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

qxthqzi.exeqxthqzi.exe

pid process

2036 qxthqzi.exe
2012 qxthqzi.exe
Loads dropped DLL 2 IoCs

Processes:

e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exeqxthqzi.exe

pid process

1180 e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
2036 qxthqzi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2036	qxthqzi.exe
2012	qxthqzi.exe

pid	process
1180	e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
2036	qxthqzi.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

qxthqzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qxthqzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	qxthqzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qxthqzi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qxthqzi.exe

description pid process target process

PID 2036 set thread context of 2012 2036 qxthqzi.exe qxthqzi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qxthqzi.exe

description pid process

Token: SeDebugPrivilege 2012 qxthqzi.exe

description	pid	process	target process
PID 2036 set thread context of 2012	2036	qxthqzi.exe	qxthqzi.exe

description	pid	process
Token: SeDebugPrivilege	2012	qxthqzi.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exeqxthqzi.exe

description	pid	process	target process
PID 1180 wrote to memory of 2036	1180	e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe	qxthqzi.exe
PID 1180 wrote to memory of 2036	1180	e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe	qxthqzi.exe
PID 1180 wrote to memory of 2036	1180	e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe	qxthqzi.exe
PID 1180 wrote to memory of 2036	1180	e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe
PID 2036 wrote to memory of 2012	2036	qxthqzi.exe	qxthqzi.exe

outlook_office_path 1 IoCs

Processes:

qxthqzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qxthqzi.exe

outlook_win_path 1 IoCs

Processes:

qxthqzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qxthqzi.exe

C:\Users\Admin\AppData\Local\Temp\e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe
"C:\Users\Admin\AppData\Local\Temp\e1e62fbf8a6bdeaf99eec0c4acc750dd5cbd0638731261fbbe8b149975ddc982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe C:\Users\Admin\AppData\Local\Temp\qlengad
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe C:\Users\Admin\AppData\Local\Temp\qlengad
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\664adve5f24hllghjjj9
Filesize
103KB

MD5
a1abf460ac1a016fae3a1b2dd4d4e355

SHA1
9b868905deb28c805f84ad4d2f61a4d6818078fd

SHA256
6bd49ad6827445df429c2775874396257e5376a18dca23a9abd97aafc5ba2f2e

SHA512
a7a5a55f23601489dd5eebd1f3674cc82250983594985e6053520e4cf238dd4dc8f73ec1302855f2d0158db12ef35fe8c7c6e12b520678404b90424223e50f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlengad
Filesize
4KB

MD5
7577f4d6e7735ea3276a6926fb985310

SHA1
a5c4535683f96a25d4b8ad914b67af114758d0c0

SHA256
5fe8d302fa599bbb0be938416b8dfbfc29fe6be2bc1a2b57a8b8b4ab0b8da0de

SHA512
4180242e44463df1c660462759a62afe2131cb1620cad705d0ee1f7c9d920bf8fe701c8ca8ff220192b03f5bfc60f2cd2e990b45158e976cc62e57c95e54d03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe
Filesize
4KB

MD5
18c31e5cae1c4b143b143a9dea57c0e8

SHA1
ef858ae3e6f3ef72d9f375338acbaa4dc704e35c

SHA256
287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4

SHA512
54dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe
Filesize
4KB

MD5
18c31e5cae1c4b143b143a9dea57c0e8

SHA1
ef858ae3e6f3ef72d9f375338acbaa4dc704e35c

SHA256
287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4

SHA512
54dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxthqzi.exe
Filesize
4KB

MD5
18c31e5cae1c4b143b143a9dea57c0e8

SHA1
ef858ae3e6f3ef72d9f375338acbaa4dc704e35c

SHA256
287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4

SHA512
54dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e

Download Submit
\Users\Admin\AppData\Local\Temp\qxthqzi.exe
Filesize
4KB

MD5
18c31e5cae1c4b143b143a9dea57c0e8

SHA1
ef858ae3e6f3ef72d9f375338acbaa4dc704e35c

SHA256
287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4

SHA512
54dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e

Download Submit
\Users\Admin\AppData\Local\Temp\qxthqzi.exe
Filesize
4KB

MD5
18c31e5cae1c4b143b143a9dea57c0e8

SHA1
ef858ae3e6f3ef72d9f375338acbaa4dc704e35c

SHA256
287c81c29fe8d522cfb70c28257751b4d779a57a37812e9f8f4266e19b5678e4

SHA512
54dc89c298f519b33ced373b2e2f9d10359a804a72ae96ca7326fe8602168526ddbb810972f96a7215b1b1c40c1e4d16dbd4e30241a586d0a2feb5c850595a4e

Download Submit
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/2012-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2012-64-0x00000000004139DE-mapping.dmp

Download
memory/2012-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2012-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads