lokibot | a4ccb6c0f50e66c590d27ef2c666bca9041ea88f7daef184b631ebcf0abab094

General

Target

050.exe
Size

262KB
MD5

4782e397d603e4c0096a98ad06490b50
SHA1

63bba5b7758b1358764656e9fb83ad27e1045dbb
SHA256

a4ccb6c0f50e66c590d27ef2c666bca9041ea88f7daef184b631ebcf0abab094
SHA512

784f2023ecada58ce62f4f6b745dc9c69c7fc3cc5eff33ebd05bc73d41c29c13986d9ee9de843eb3a93dc3ed99495d1a59f6b55a6f2488ce20db32372e136979

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://becharnise.ir/fb19/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Loads dropped DLL 1 IoCs

Processes:

050.exe

pid process

1312 050.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1312	050.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

050.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	050.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	050.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	050.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

050.exe

description pid process target process

PID 1312 set thread context of 4956 1312 050.exe 050.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

050.exe

pid process

1312 050.exe
1312 050.exe
1312 050.exe
1312 050.exe
1312 050.exe
1312 050.exe
1312 050.exe
1312 050.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

050.exe

pid process

1312 050.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

050.exe

pid process

4956 050.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

050.exe

description pid process

Token: SeDebugPrivilege 4956 050.exe

description	pid	process	target process
PID 1312 set thread context of 4956	1312	050.exe	050.exe

pid	process
1312	050.exe
1312	050.exe
1312	050.exe
1312	050.exe
1312	050.exe
1312	050.exe
1312	050.exe
1312	050.exe

pid	process
1312	050.exe

pid	process
4956	050.exe

description	pid	process
Token: SeDebugPrivilege	4956	050.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

050.exe

description	pid	process	target process
PID 1312 wrote to memory of 4956	1312	050.exe	050.exe
PID 1312 wrote to memory of 4956	1312	050.exe	050.exe
PID 1312 wrote to memory of 4956	1312	050.exe	050.exe
PID 1312 wrote to memory of 4956	1312	050.exe	050.exe

outlook_office_path 1 IoCs

Processes:

050.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	050.exe

outlook_win_path 1 IoCs

Processes:

050.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	050.exe

C:\Users\Admin\AppData\Local\Temp\050.exe
"C:\Users\Admin\AppData\Local\Temp\050.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\050.exe
"C:\Users\Admin\AppData\Local\Temp\050.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss5D78.tmp\m0kdzueblmmlav.dll
Filesize
116KB

MD5
ba15f2f9f59bcaeabbb41c890bef4e2f

SHA1
ab06d93f3df6a483a87c384c4539570b203e74cb

SHA256
7518f79fddbf51df7f43045a55c1dfd8bbafa8f87d21b573ee2c13bbc1e616c0

SHA512
9479913429521387778a47e7023843b01c85cb83e36f4632f434e6431045e5e013c857f72e7d93d8458015242017863eafc57ea388ae24384d6e7d026bf3d4b4

Download Submit
memory/1312-130-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/1312-133-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/1312-134-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4956-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads