lokibot | 20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1

General

Target

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
Size

435KB
MD5

ac7cfc5070d1c40fa65498cb9909f61b
SHA1

7dac1426ad9e0fb08b89dba7667e7d1477533834
SHA256

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1
SHA512

a82d65ac39acecc819a58590979ead1b2f5c85bc81eba438f9e678391b2eed4e66da5e443462fdb26d2c5bbbe37bf712aceeed356d7eb75ec19900721341c65a

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://redsseammgt.com/loki5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe

description	pid	process	target process
PID 1552 set thread context of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe

pid	process
1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
Token: SeDebugPrivilege	912	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe

description	pid	process	target process
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe
PID 1552 wrote to memory of 912	1552	20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe	svchost.exe

outlook_office_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe
"C:\Users\Admin\AppData\Local\Temp\20f11dab91e6b84014dec6e2f539e345a2a4662cb9a85763696e0170aeda12e1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-57-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-58-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-75-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/912-70-0x00000000004139DE-mapping.dmp

Download
memory/1552-71-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1552-55-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-56-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads