lokibot | 4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924

General

Target

quotation(CIF Yokohama).exe
Size

222KB
MD5

2eef9ae522288b3b5a93ddf1c4b10222
SHA1

f4f6538e30789dccda884c706cb61a194cd7da00
SHA256

352a06a48ddb77e75cd54264c213c7adfe6a70c1bbb89f453cd41e4592ec3d8a
SHA512

5438f3daa0d9a52a150968d4957d577fd71815481104555ce85184acd3c1c9a8849b555dd54925f8f7a269a326e03938319199953d676cea55eba8bd58511827

Score

10^/10

lokibot collection evasion rezer0 spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://nnasout.com/loo/need/work/Panel/five/fre.php?

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1352-57-0x0000000001F70000-0x0000000001F98000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quotation(CIF Yokohama).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	quotation(CIF Yokohama).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	quotation(CIF Yokohama).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

quotation(CIF Yokohama).exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	quotation(CIF Yokohama).exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	quotation(CIF Yokohama).exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	quotation(CIF Yokohama).exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

quotation(CIF Yokohama).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	quotation(CIF Yokohama).exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	quotation(CIF Yokohama).exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

quotation(CIF Yokohama).exe

description pid process target process

PID 1352 set thread context of 1688 1352 quotation(CIF Yokohama).exe quotation(CIF Yokohama).exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

quotation(CIF Yokohama).exe

pid process

1352 quotation(CIF Yokohama).exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

quotation(CIF Yokohama).exe

pid process

1688 quotation(CIF Yokohama).exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

quotation(CIF Yokohama).exequotation(CIF Yokohama).exe

description pid process

Token: SeDebugPrivilege 1352 quotation(CIF Yokohama).exe
Token: SeDebugPrivilege 1688 quotation(CIF Yokohama).exe

description	pid	process	target process
PID 1352 set thread context of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe

pid	process
1760	schtasks.exe

pid	process
1352	quotation(CIF Yokohama).exe

pid	process
1688	quotation(CIF Yokohama).exe

description	pid	process
Token: SeDebugPrivilege	1352	quotation(CIF Yokohama).exe
Token: SeDebugPrivilege	1688	quotation(CIF Yokohama).exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

quotation(CIF Yokohama).exe

description	pid	process	target process
PID 1352 wrote to memory of 1760	1352	quotation(CIF Yokohama).exe	schtasks.exe
PID 1352 wrote to memory of 1760	1352	quotation(CIF Yokohama).exe	schtasks.exe
PID 1352 wrote to memory of 1760	1352	quotation(CIF Yokohama).exe	schtasks.exe
PID 1352 wrote to memory of 1760	1352	quotation(CIF Yokohama).exe	schtasks.exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe
PID 1352 wrote to memory of 1688	1352	quotation(CIF Yokohama).exe	quotation(CIF Yokohama).exe

outlook_office_path 1 IoCs

Processes:

quotation(CIF Yokohama).exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	quotation(CIF Yokohama).exe

outlook_win_path 1 IoCs

Processes:

quotation(CIF Yokohama).exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	quotation(CIF Yokohama).exe

C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe
"C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kvGwXY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp"
2⤵
- Creates scheduled task(s)
PID:1760

C:\Users\Admin\AppData\Local\Temp\quotation(CIF Yokohama).exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE5AE.tmp
Filesize
1KB

MD5
a19309d0038074e10a8f7f82891ffded

SHA1
f00f4628e7d890060cd82948aaf273881286daad

SHA256
971d8e081df6409489348e40ec5553441ac31a81438390d643d69ae44611dfe8

SHA512
47e96824907847b3ebd8c69b264b2e655b93925cd6d84be2f5f251630464657bd876c5c4de9ac47bf2fad4cfd9efb5e83dec0658a82888a23d7f27cd0b17ed70

Download Submit
memory/1352-55-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1352-56-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1352-57-0x0000000001F70000-0x0000000001F98000-memory.dmp

Filesize
160KB

Download
memory/1352-54-0x0000000000B30000-0x0000000000B6E000-memory.dmp

Filesize
248KB

Download
memory/1688-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-69-0x00000000004139DE-mapping.dmp

Download
memory/1688-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1688-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads