lokibot | f761ec2eab1997b820c55529664277bd0e50430bffe9e52828eb0cc47052ef40

General

Target

Shipment Document BL,INV and Packing List Attached.exe
Size

269KB
MD5

6b867daf3833eed6d3b0f937d5c2deb8
SHA1

eda3c03511a75e8aeb6ba9631c58ca664139e0b7
SHA256

cbdceb86c103f8263dd8e128cd5f2153b2698f8a7014377bc60d1a4f7c8c5fd9
SHA512

35bfb81aefef82e0840fbfb41844cec394b3796ec92802ba001d720db6acb4bd99cef1c938e36ae3cea632b78949fe3b8f97278aa36f4fe29740f2f9c12fb523

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://195.69.140.147/.op/cr.php/rBvEb52mPBnqh

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

1996 InstallUtil.exe
Loads dropped DLL 1 IoCs

Processes:

Shipment Document BL,INV and Packing List Attached.exe

pid process

892 Shipment Document BL,INV and Packing List Attached.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1996	InstallUtil.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipment Document BL,INV and Packing List Attached.exe

description pid process target process

PID 892 set thread context of 1996 892 Shipment Document BL,INV and Packing List Attached.exe InstallUtil.exe

description	pid	process	target process
PID 892 set thread context of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Shipment Document BL,INV and Packing List Attached.exe

pid	process
892	Shipment Document BL,INV and Packing List Attached.exe
892	Shipment Document BL,INV and Packing List Attached.exe
892	Shipment Document BL,INV and Packing List Attached.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipment Document BL,INV and Packing List Attached.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 892 Shipment Document BL,INV and Packing List Attached.exe
Token: SeDebugPrivilege 1996 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	892	Shipment Document BL,INV and Packing List Attached.exe
Token: SeDebugPrivilege	1996	InstallUtil.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Shipment Document BL,INV and Packing List Attached.exe

description	pid	process	target process
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe
PID 892 wrote to memory of 1996	892	Shipment Document BL,INV and Packing List Attached.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing List Attached.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and Packing List Attached.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/892-54-0x0000000000BF0000-0x0000000000C3A000-memory.dmp

Filesize
296KB

Download
memory/892-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/892-56-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/892-57-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/1996-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-68-0x00000000004139DE-mapping.dmp

Download
memory/1996-59-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads