lokibot | 1c451e72c2172a3956b8a663a7f135af8403901a5a1b1c286c8f8d8161c1bed4

General

Target

New Order.exe
Size

238KB
MD5

0e3d09ecb4359b1ed85d8239b65fb5b4
SHA1

e41e74634e37c260857cd4d003056475c87e2f46
SHA256

34c4934114c4dcdac5a0affe7ac3d2f37c5856579a9ede253c9e02cd12f76e87
SHA512

a2393ff366d07c4259f638da935bcf78a27233115771e51fd61ef1a73bd4fc0a0f2f3abb845812ef651c92798a4179c42ef361d4d1564df00f259b3f703a1a63

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=8655983264725314

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 4168 set thread context of 4448 4168 New Order.exe cvtres.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New Order.exe

pid process

4168 New Order.exe
4168 New Order.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Order.execvtres.exe

description pid process

Token: SeDebugPrivilege 4168 New Order.exe
Token: SeDebugPrivilege 4448 cvtres.exe

description	pid	process	target process
PID 4168 set thread context of 4448	4168	New Order.exe	cvtres.exe

pid	process
4168	New Order.exe
4168	New Order.exe

description	pid	process
Token: SeDebugPrivilege	4168	New Order.exe
Token: SeDebugPrivilege	4448	cvtres.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 4168 wrote to memory of 3772	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 3772	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 3772	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe
PID 4168 wrote to memory of 4448	4168	New Order.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe

outlook_win_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:3772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3772-131-0x0000000000000000-mapping.dmp

Download
memory/4168-130-0x00000000001D0000-0x000000000020E000-memory.dmp

Filesize
248KB

Download
memory/4448-132-0x0000000000000000-mapping.dmp

Download
memory/4448-133-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4448-135-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4448-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4448-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads