lokibot | 469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b

General

Target

469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe
Size

264KB
MD5

38ea528ddcc8e339c29c7ec31862cf8f
SHA1

1905e62884a4ee76357ed0d1398225ebf747d046
SHA256

469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b
SHA512

c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://247dichvu.com/moon/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

office.exe

pid process

2824 office.exe

pid	process
2824	office.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe

Drops startup file 3 IoCs

Processes:

cmd.exeoffice.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.lnk	office.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

office.exe

description pid process target process

PID 2824 set thread context of 4232 2824 office.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2824 set thread context of 4232	2824	office.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exeoffice.exe

description	pid	process
Token: SeDebugPrivilege	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe
Token: SeDebugPrivilege	2824	office.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exeexplorer.exeoffice.exe

description	pid	process	target process
PID 2448 wrote to memory of 3600	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	cmd.exe
PID 2448 wrote to memory of 3600	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	cmd.exe
PID 2448 wrote to memory of 3600	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	cmd.exe
PID 2448 wrote to memory of 3216	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	explorer.exe
PID 2448 wrote to memory of 3216	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	explorer.exe
PID 2448 wrote to memory of 3216	2448	469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe	explorer.exe
PID 4360 wrote to memory of 2824	4360	explorer.exe	office.exe
PID 4360 wrote to memory of 2824	4360	explorer.exe	office.exe
PID 4360 wrote to memory of 2824	4360	explorer.exe	office.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe
PID 2824 wrote to memory of 4232	2824	office.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe
"C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
2⤵
- Drops startup file
PID:3600

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
2⤵
PID:3216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe
Filesize
264KB

MD5
38ea528ddcc8e339c29c7ec31862cf8f

SHA1
1905e62884a4ee76357ed0d1398225ebf747d046

SHA256
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b

SHA512
c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe
Filesize
264KB

MD5
38ea528ddcc8e339c29c7ec31862cf8f

SHA1
1905e62884a4ee76357ed0d1398225ebf747d046

SHA256
469fe3587965554cdd7115c5fa03ed6147052a05f716f724aa6be68e2d921f1b

SHA512
c7d22f38bfc2004e155bb8a9e577dfe9eac8b0246931df637047f0656508e35bfd9880e09d48461d01553fe647c6883833255c35ae370109c9e6730017d9157b

Download Submit
memory/2448-130-0x0000000000790000-0x00000000007D8000-memory.dmp

Filesize
288KB

Download
memory/2448-131-0x0000000005140000-0x000000000515A000-memory.dmp

Filesize
104KB

Download
memory/2448-132-0x000000000A5F0000-0x000000000AB94000-memory.dmp

Filesize
5.6MB

Download
memory/2448-133-0x000000000A140000-0x000000000A1D2000-memory.dmp

Filesize
584KB

Download
memory/2824-137-0x0000000000000000-mapping.dmp

Download
memory/2824-139-0x000000000B3E0000-0x000000000B47C000-memory.dmp

Filesize
624KB

Download
memory/3216-135-0x0000000000000000-mapping.dmp

Download
memory/3600-134-0x0000000000000000-mapping.dmp

Download
memory/4232-140-0x0000000000000000-mapping.dmp

Download
memory/4232-142-0x0000000000610000-0x00000000006B2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads