lokibot | 4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab

General

Target

tas0v3FvZSBpyH2.exe
Size

676KB
MD5

557353bdbd122177a75fe9b79e5b4242
SHA1

5815cf11845fb0eac0634fe7422b27f6f51163f5
SHA256

3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
SHA512

e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74

Score

10^/10

lokibot snakebot collection coreentity rezer0 snakebot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://skull3.ga/martins27/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/304-56-0x00000000005C0000-0x00000000005C8000-memory.dmp	coreentity

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

Processes:

resource	yara_rule
behavioral1/memory/304-54-0x0000000000150000-0x0000000000202000-memory.dmp	snakebot_strings

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/304-57-0x0000000004AB0000-0x0000000004AD8000-memory.dmp	rezer0

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tas0v3FvZSBpyH2.exe

description pid process target process

PID 304 set thread context of 680 304 tas0v3FvZSBpyH2.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1744 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

tas0v3FvZSBpyH2.exe

pid process

304 tas0v3FvZSBpyH2.exe
304 tas0v3FvZSBpyH2.exe
304 tas0v3FvZSBpyH2.exe
304 tas0v3FvZSBpyH2.exe
304 tas0v3FvZSBpyH2.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tas0v3FvZSBpyH2.exevbc.exe

description pid process

Token: SeDebugPrivilege 304 tas0v3FvZSBpyH2.exe
Token: SeDebugPrivilege 680 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tas0v3FvZSBpyH2.exe

pid process

304 tas0v3FvZSBpyH2.exe
304 tas0v3FvZSBpyH2.exe

description	pid	process	target process
PID 304 set thread context of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe

pid	process
1744	schtasks.exe

pid	process
304	tas0v3FvZSBpyH2.exe
304	tas0v3FvZSBpyH2.exe
304	tas0v3FvZSBpyH2.exe
304	tas0v3FvZSBpyH2.exe
304	tas0v3FvZSBpyH2.exe

description	pid	process
Token: SeDebugPrivilege	304	tas0v3FvZSBpyH2.exe
Token: SeDebugPrivilege	680	vbc.exe

pid	process
304	tas0v3FvZSBpyH2.exe
304	tas0v3FvZSBpyH2.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

tas0v3FvZSBpyH2.exe

description	pid	process	target process
PID 304 wrote to memory of 1744	304	tas0v3FvZSBpyH2.exe	schtasks.exe
PID 304 wrote to memory of 1744	304	tas0v3FvZSBpyH2.exe	schtasks.exe
PID 304 wrote to memory of 1744	304	tas0v3FvZSBpyH2.exe	schtasks.exe
PID 304 wrote to memory of 1744	304	tas0v3FvZSBpyH2.exe	schtasks.exe
PID 304 wrote to memory of 1760	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 1760	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 1760	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 1760	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 816	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 816	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 816	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 816	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe
PID 304 wrote to memory of 680	304	tas0v3FvZSBpyH2.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\tas0v3FvZSBpyH2.exe
"C:\Users\Admin\AppData\Local\Temp\tas0v3FvZSBpyH2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TCGVLxd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE5C.tmp"
2⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFE5C.tmp
Filesize
1KB

MD5
5c0ba61e27a9b5fb598efe7bf0aef5d9

SHA1
e2475a49ccf6240dbe35bb6e282cbc299f234666

SHA256
5fd0291070cac3663459e3b561304dbe2237973ca2827d1d3d71d247e63f5964

SHA512
8aacd7693183c74cb741bd5d07d0af16a1b44e098242de91934ebf3908ef55375dbb9aa88d7b10b7091a1a667cead5d50b199c531952e78f4122d2890779f62b

Download Submit
memory/304-55-0x0000000000560000-0x0000000000588000-memory.dmp

Filesize
160KB

Download
memory/304-56-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/304-57-0x0000000004AB0000-0x0000000004AD8000-memory.dmp

Filesize
160KB

Download
memory/304-54-0x0000000000150000-0x0000000000202000-memory.dmp

Filesize
712KB

Download
memory/680-69-0x00000000004139DE-mapping.dmp

Download
memory/680-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/680-72-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/680-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1744-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads