Behavioral Report

max time kernel126s
max time network128s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted21-05-2022 18:35

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Filesize

1MB

Completed

21-05-2022 18:38

Task

behavioral2

Score

10^/10

MD5

1678a6372c11592d92876749482fd18e

SHA1

e7001067022152bc76445369c9c14f59e0097fdc

SHA256

2a3c60d816836bf1cecb31f34d4eaf5b93976c123364538d5b8e22e9272e1269

SHA512

fa2bc8977f0c929fd6baafaf863b809a38eb6704f05199ec6073cda40116ffc169c6ea33079cbd367f21084ad6a581dabd989e5f4163fa2f4648406c35fc778b

lokibot collection spyware stealer trojan

Extracted

Family	lokibot
C2	http://attlogistics-vn.com/first/chief2/fre.php http://kbfvzoboss.bid/alien/fre.php http://alphastand.trade/alien/fre.php http://alphastand.win/alien/fre.php http://alphastand.top/alien/fre.php http://attlogistics-vn.com/first/chief2/fre.php http://kbfvzoboss.bid/alien/fre.php http://alphastand.trade/alien/fre.php http://alphastand.win/alien/fre.php http://alphastand.top/alien/fre.php

Collection

Lokibot

Description

Lokibot is a Password and CryptoCoin Wallet Stealer.

Tags

trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles

dllhost.exe

TTPs

Email Collection

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dllhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

Suspicious use of SetThreadContext
COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Reported IOCs

description pid process target process

PID 3588 set thread context of 4968 3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe dllhost.exe
Suspicious use of AdjustPrivilegeToken
dllhost.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 4968 dllhost.exe
Suspicious use of FindShellTrayWindow
COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Reported IOCs

pid process

3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe
Suspicious use of SendNotifyMessage
COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Reported IOCs

pid process

3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588 COVID-19 TRANSFER RECEIPT FORM_pdf.exe

description	pid	process	target process
PID 3588 set thread context of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	4968	dllhost.exe

pid	process
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe

pid	process
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe
3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Suspicious use of WriteProcessMemory

COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Reported IOCs

description	pid	process	target process
PID 3588 wrote to memory of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe
PID 3588 wrote to memory of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe
PID 3588 wrote to memory of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe
PID 3588 wrote to memory of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe
PID 3588 wrote to memory of 4968	3588	COVID-19 TRANSFER RECEIPT FORM_pdf.exe	dllhost.exe

outlook_office_path

dllhost.exe

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dllhost.exe

outlook_win_path

dllhost.exe

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\COVID-19 TRANSFER RECEIPT FORM_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\COVID-19 TRANSFER RECEIPT FORM_pdf.exe"

Suspicious use of SetThreadContext
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory

PID:3588

C:\Windows\SysWOW64\dllhost.exe

"C:\Windows\SysWOW64\dllhost.exe"

Accesses Microsoft Outlook profiles
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path

PID:4968

Collection

Email Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/3588-138-0x0000000000F20000-0x0000000000F55000-memory.dmp

Download
memory/3588-139-0x0000000003300000-0x0000000003335000-memory.dmp

Download
memory/4968-130-0x0000000000000000-mapping.dmp

Download
memory/4968-131-0x0000000000400000-0x00000000004A2000-memory.dmp

Download
memory/4968-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Download
memory/4968-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title