lokibot | 1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72

General

Target

1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe
Size

268KB
MD5

6a4e1ce5ab0776a62ed2f5919ada8fbf
SHA1

70425753944339a629a930840ebddbc91e590d1d
SHA256

1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72
SHA512

a25b689b894a32d1b9a271ac83f38f419ef3965b27d7d72a138bfdc5ef940c9683d1f1f8c4fadbee10017fb34732be8c83cca2fbd80cf7f244e672c9673be1f8

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://castmart.ga/~zadmin/lmark/aps/link.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

theophylline.exe

pid process

488 theophylline.exe
Loads dropped DLL 1 IoCs

Processes:

theophylline.exe

pid process

488 theophylline.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
488	theophylline.exe

pid	process
488	theophylline.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cmd.exe

Drops file in Windows directory 1 IoCs

Processes:

theophylline.exe

description ioc process

File opened for modification C:\Windows\win.ini theophylline.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

theophylline.exe

pid process

488 theophylline.exe
488 theophylline.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

theophylline.exe

pid process

488 theophylline.exe
488 theophylline.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 228 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	theophylline.exe

pid	process
488	theophylline.exe
488	theophylline.exe

pid	process
488	theophylline.exe
488	theophylline.exe

description	pid	process
Token: SeDebugPrivilege	228	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exetheophylline.exe

description	pid	process	target process
PID 2992 wrote to memory of 488	2992	1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe	theophylline.exe
PID 2992 wrote to memory of 488	2992	1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe	theophylline.exe
PID 2992 wrote to memory of 488	2992	1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe	theophylline.exe
PID 488 wrote to memory of 1364	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 1364	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 1364	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 1364	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe
PID 488 wrote to memory of 228	488	theophylline.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cmd.exe

outlook_win_path 1 IoCs

Processes:

cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe
"C:\Users\Admin\AppData\Local\Temp\1d11abd89729dd1cbd64e52496bb76d942b082ae3ab34bb548fce18efefd8d72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\theophylline.exe
C:\Users\Admin\AppData\Local\Temp\theophylline.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Milliped.DLL

Filesize
58KB

MD5
e9e30a48580b0c0c892532a5fdbd0be9

SHA1
e47d99f2c9abd1fd59bd432a723c78727dff0d3a

SHA256
0b5d8b14a2640e0b7c40ab91a9fc1260e567bc58561ec531381fe2c70982ebf7

SHA512
914558ffef9a2d69f5fa64f7a1b85d58042b0c075064c9b6c5c109187893a1f7b911e18f1c2102558366f7e619ed483f768bf647a33d06a0880d2d7a5257188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Milliped.dll

Filesize
58KB

MD5
e9e30a48580b0c0c892532a5fdbd0be9

SHA1
e47d99f2c9abd1fd59bd432a723c78727dff0d3a

SHA256
0b5d8b14a2640e0b7c40ab91a9fc1260e567bc58561ec531381fe2c70982ebf7

SHA512
914558ffef9a2d69f5fa64f7a1b85d58042b0c075064c9b6c5c109187893a1f7b911e18f1c2102558366f7e619ed483f768bf647a33d06a0880d2d7a5257188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moneyman

Filesize
141KB

MD5
19ab6e668ff348062314454cb73ac6bc

SHA1
8b1d5b74619660331510daeb81c808d807a91e00

SHA256
984171c188c9168c91452cb8bf0f7dc94625257ddeef48530f2ea51357dd296b

SHA512
f23d5bf2ec87ac9932d4f0e6e1e9bb527fd7e7642bba63e4b21446473903595d51ed282c671f50b3378274e0c6697c0a5f2fb81675163fd1c38dd764986a689b

Download Submit
C:\Users\Admin\AppData\Local\Temp\theophylline.exe

Filesize
57KB

MD5
bde3d912188e011f417122a78d358ffb

SHA1
7755dae566944428c74d1420fec09fe7581700e1

SHA256
1300166b2d50a1c69fa6604f3a3a3b738b17bbe3c3b8d73367cd0eac9e2f1f78

SHA512
bbd6cd49d24a35d950a09ec3d6f3546bb4403bb132deae70bafa4159109e7eec1566fc0fd3ca8b53741934e395d78193da18f2ff8443a46cc4be589afda2d432

Download Submit
C:\Users\Admin\AppData\Local\Temp\theophylline.exe

Filesize
57KB

MD5
bde3d912188e011f417122a78d358ffb

SHA1
7755dae566944428c74d1420fec09fe7581700e1

SHA256
1300166b2d50a1c69fa6604f3a3a3b738b17bbe3c3b8d73367cd0eac9e2f1f78

SHA512
bbd6cd49d24a35d950a09ec3d6f3546bb4403bb132deae70bafa4159109e7eec1566fc0fd3ca8b53741934e395d78193da18f2ff8443a46cc4be589afda2d432

Download Submit
memory/228-147-0x0000000000000000-mapping.dmp

Download
memory/228-155-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/228-154-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/228-149-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/228-148-0x00007FFA688D0000-0x00007FFA68AC5000-memory.dmp

Filesize
2.0MB

Download
memory/488-136-0x0000000000820000-0x0000000000827000-memory.dmp

Filesize
28KB

Download
memory/488-146-0x0000000000850000-0x0000000000873000-memory.dmp

Filesize
140KB

Download
memory/488-143-0x00007FFA688D0000-0x00007FFA68AC5000-memory.dmp

Filesize
2.0MB

Download
memory/488-142-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/488-130-0x0000000000000000-mapping.dmp

Download
memory/1364-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads