lokibot | 3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf

General

Target

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
Size

294KB
MD5

2d88fec194225a419b391ebbb2472ba3
SHA1

1960e97f45caa7aa0702f059b9215f531ba58020
SHA256

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf
SHA512

d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://89.46.222.42/wealth/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

756edsre6w34763e5d.exe756edsre6w34763e5d.exe

pid process

3376 756edsre6w34763e5d.exe
3544 756edsre6w34763e5d.exe

pid	process
3376	756edsre6w34763e5d.exe
3544	756edsre6w34763e5d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe

Drops startup file 3 IoCs

Processes:

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe756edsre6w34763e5d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.siS6h0In7FdTfwzS.lnk	756edsre6w34763e5d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

756edsre6w34763e5d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	756edsre6w34763e5d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	756edsre6w34763e5d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	756edsre6w34763e5d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

756edsre6w34763e5d.exe

description pid process target process

PID 3376 set thread context of 3544 3376 756edsre6w34763e5d.exe 756edsre6w34763e5d.exe

description	pid	process	target process
PID 3376 set thread context of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe

Drops file in Windows directory 4 IoCs

Processes:

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe756edsre6w34763e5d.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	756edsre6w34763e5d.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	756edsre6w34763e5d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe756edsre6w34763e5d.exe756edsre6w34763e5d.exe

description	pid	process
Token: SeDebugPrivilege	4036	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
Token: SeDebugPrivilege	3376	756edsre6w34763e5d.exe
Token: SeDebugPrivilege	3544	756edsre6w34763e5d.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exeexplorer.exe756edsre6w34763e5d.exe

description	pid	process	target process
PID 4036 wrote to memory of 2656	4036	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe	explorer.exe
PID 4036 wrote to memory of 2656	4036	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe	explorer.exe
PID 4036 wrote to memory of 2656	4036	3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe	explorer.exe
PID 2368 wrote to memory of 3376	2368	explorer.exe	756edsre6w34763e5d.exe
PID 2368 wrote to memory of 3376	2368	explorer.exe	756edsre6w34763e5d.exe
PID 2368 wrote to memory of 3376	2368	explorer.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe
PID 3376 wrote to memory of 3544	3376	756edsre6w34763e5d.exe	756edsre6w34763e5d.exe

outlook_office_path 1 IoCs

Processes:

756edsre6w34763e5d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	756edsre6w34763e5d.exe

outlook_win_path 1 IoCs

Processes:

756edsre6w34763e5d.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	756edsre6w34763e5d.exe

C:\Users\Admin\AppData\Local\Temp\3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe
"C:\Users\Admin\AppData\Local\Temp\3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
2⤵
PID:2656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
Filesize
294KB

MD5
2d88fec194225a419b391ebbb2472ba3

SHA1
1960e97f45caa7aa0702f059b9215f531ba58020

SHA256
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf

SHA512
d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
Filesize
294KB

MD5
2d88fec194225a419b391ebbb2472ba3

SHA1
1960e97f45caa7aa0702f059b9215f531ba58020

SHA256
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf

SHA512
d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\756edsre6w34763e5d.exe
Filesize
294KB

MD5
2d88fec194225a419b391ebbb2472ba3

SHA1
1960e97f45caa7aa0702f059b9215f531ba58020

SHA256
3da5c9324011cdc8d828489e3f0654ddbb2445f1476e44498d3c04c3c9dddbcf

SHA512
d72807942d682743ca4690db0d609a3ade2170ee2b9f3e6b0816e21668b5e37825382d92e81264753673a12b6ad22a4641052666504a571b52a6f1c5ac6e285d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
Filesize
514B

MD5
94ce1b581f1c57712d7e2ee245c22734

SHA1
311319bdf3cdd55e253bac4c7f3267d9825b4993

SHA256
6f7c4d936afcc33b2c7de0aaa97386812245121230d8b52d78d2ee5b68af95ec

SHA512
67e264a4554f8bc87ba70abf39cde6d7cf75f231e165f38cf9b13c6b9a7e50c407d386aca2d0aca1d4a274b7d601da17b78a5b26f16b12c63a17990784c1a16d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
Filesize
514B

MD5
94ce1b581f1c57712d7e2ee245c22734

SHA1
311319bdf3cdd55e253bac4c7f3267d9825b4993

SHA256
6f7c4d936afcc33b2c7de0aaa97386812245121230d8b52d78d2ee5b68af95ec

SHA512
67e264a4554f8bc87ba70abf39cde6d7cf75f231e165f38cf9b13c6b9a7e50c407d386aca2d0aca1d4a274b7d601da17b78a5b26f16b12c63a17990784c1a16d

Download Submit
memory/2656-131-0x0000000000000000-mapping.dmp

Download
memory/3376-134-0x0000000000000000-mapping.dmp

Download
memory/3376-138-0x0000000073B50000-0x0000000074101000-memory.dmp

Filesize
5.7MB

Download
memory/3376-139-0x0000000073B50000-0x0000000074101000-memory.dmp

Filesize
5.7MB

Download
memory/3376-145-0x0000000073B50000-0x0000000074101000-memory.dmp

Filesize
5.7MB

Download
memory/3544-140-0x0000000000000000-mapping.dmp

Download
memory/3544-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3544-147-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4036-130-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4036-132-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads