lokibot | 53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb

General

Target

53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
Size

478KB
MD5

27b5a2ae4b7829e5c4a6be8c05f0af66
SHA1

f0a03d7f0aff41e5458436f0241c8a1e59002e76
SHA256

53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb
SHA512

7d2b5a3731f3e38118bc1d25354782e79913e79408439a74d121bef546ab21e60330d9cf73a083bdcf19d20327d5ace3b3261fbb97acbb0318556050b4d917a8

Score

10^/10

lokibot sality backdoor collection evasion spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://mclhk-net.com/hiswounds/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	AppLaunch.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

AppLaunch.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AppLaunch.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	AppLaunch.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2488-136-0x0000000002230000-0x00000000032EA000-memory.dmp	upx
behavioral2/memory/2488-139-0x0000000002230000-0x00000000032EA000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AppLaunch.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\J:	AppLaunch.exe
File opened (read-only)	\??\K:	AppLaunch.exe
File opened (read-only)	\??\L:	AppLaunch.exe
File opened (read-only)	\??\E:	AppLaunch.exe
File opened (read-only)	\??\F:	AppLaunch.exe
File opened (read-only)	\??\G:	AppLaunch.exe
File opened (read-only)	\??\H:	AppLaunch.exe
File opened (read-only)	\??\I:	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe

description	pid	process	target process
PID 4428 set thread context of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe

Drops file in Windows directory 4 IoCs

Processes:

AppLaunch.exe53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe

description	ioc	process
File created	C:\Windows\e5867ae	AppLaunch.exe
File opened for modification	C:\Windows\SYSTEM.INI	AppLaunch.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exe

pid process

2488 AppLaunch.exe
2488 AppLaunch.exe
2488 AppLaunch.exe
2488 AppLaunch.exe
2488 AppLaunch.exe
2488 AppLaunch.exe

pid	process
2488	AppLaunch.exe
2488	AppLaunch.exe
2488	AppLaunch.exe
2488	AppLaunch.exe
2488	AppLaunch.exe
2488	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exeAppLaunch.exe

description	pid	process	target process
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 4428 wrote to memory of 2488	4428	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe	AppLaunch.exe
PID 2488 wrote to memory of 764	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 772	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 1016	2488	AppLaunch.exe	dwm.exe
PID 2488 wrote to memory of 2492	2488	AppLaunch.exe	sihost.exe
PID 2488 wrote to memory of 2504	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 2604	2488	AppLaunch.exe	taskhostw.exe
PID 2488 wrote to memory of 2648	2488	AppLaunch.exe	Explorer.EXE
PID 2488 wrote to memory of 3104	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 3284	2488	AppLaunch.exe	DllHost.exe
PID 2488 wrote to memory of 3380	2488	AppLaunch.exe	StartMenuExperienceHost.exe
PID 2488 wrote to memory of 3444	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 3544	2488	AppLaunch.exe	SearchApp.exe
PID 2488 wrote to memory of 3788	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 4408	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 4428	2488	AppLaunch.exe	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
PID 2488 wrote to memory of 4428	2488	AppLaunch.exe	53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
PID 2488 wrote to memory of 764	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 772	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 1016	2488	AppLaunch.exe	dwm.exe
PID 2488 wrote to memory of 2492	2488	AppLaunch.exe	sihost.exe
PID 2488 wrote to memory of 2504	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 2604	2488	AppLaunch.exe	taskhostw.exe
PID 2488 wrote to memory of 2648	2488	AppLaunch.exe	Explorer.EXE
PID 2488 wrote to memory of 3104	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 3284	2488	AppLaunch.exe	DllHost.exe
PID 2488 wrote to memory of 3380	2488	AppLaunch.exe	StartMenuExperienceHost.exe
PID 2488 wrote to memory of 3444	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 3544	2488	AppLaunch.exe	SearchApp.exe
PID 2488 wrote to memory of 3788	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 4408	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 764	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 772	2488	AppLaunch.exe	fontdrvhost.exe
PID 2488 wrote to memory of 1016	2488	AppLaunch.exe	dwm.exe
PID 2488 wrote to memory of 2492	2488	AppLaunch.exe	sihost.exe
PID 2488 wrote to memory of 2504	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 2604	2488	AppLaunch.exe	taskhostw.exe
PID 2488 wrote to memory of 2648	2488	AppLaunch.exe	Explorer.EXE
PID 2488 wrote to memory of 3104	2488	AppLaunch.exe	svchost.exe
PID 2488 wrote to memory of 3284	2488	AppLaunch.exe	DllHost.exe
PID 2488 wrote to memory of 3380	2488	AppLaunch.exe	StartMenuExperienceHost.exe
PID 2488 wrote to memory of 3444	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 3544	2488	AppLaunch.exe	SearchApp.exe
PID 2488 wrote to memory of 3788	2488	AppLaunch.exe	RuntimeBroker.exe
PID 2488 wrote to memory of 4408	2488	AppLaunch.exe	RuntimeBroker.exe

outlook_office_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	AppLaunch.exe

outlook_win_path 1 IoCs

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	AppLaunch.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe
"C:\Users\Admin\AppData\Local\Temp\53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2488

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2492

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

3

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-132-0x0000000000000000-mapping.dmp

Download
memory/2488-133-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2488-135-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2488-137-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2488-136-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/2488-138-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2488-139-0x0000000002230000-0x00000000032EA000-memory.dmp

Filesize
16.7MB

Download
memory/4428-130-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4428-131-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4428-140-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads