lokibot | 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

General

Target

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
Size

271KB
MD5

6d6e6d27380ce69f043be7dc379fbf15
SHA1

7078801fbf3ef2523958b0431a56a07a9002d1e9
SHA256

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6
SHA512

36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://timmason2.com/demoami/demoami/iu/y/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3680 svhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3680	svhost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

description	pid	process	target process
PID 228 set thread context of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4620 timeout.exe
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe:Zone.Identifier cmd.exe

pid	process
4620	timeout.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

pid	process
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
Token: SeDebugPrivilege	3680	svhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.execmd.execmd.exe

description	pid	process	target process
PID 228 wrote to memory of 1376	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 228 wrote to memory of 1376	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 228 wrote to memory of 1376	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 1376 wrote to memory of 984	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 984	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 984	1376	cmd.exe	reg.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 3680	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 228 wrote to memory of 4388	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 228 wrote to memory of 4388	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 228 wrote to memory of 4388	228	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 4388 wrote to memory of 4620	4388	cmd.exe	timeout.exe
PID 4388 wrote to memory of 4620	4388	cmd.exe	timeout.exe
PID 4388 wrote to memory of 4620	4388	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svhost.exe

outlook_win_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe

C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
"C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.lnk" /f
3⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe
Filesize
271KB

MD5
6d6e6d27380ce69f043be7dc379fbf15

SHA1
7078801fbf3ef2523958b0431a56a07a9002d1e9

SHA256
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

SHA512
36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f

Download Submit
C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.bat
Filesize
198B

MD5
2e5cd464a7f51445d81d8f7b258f85e1

SHA1
af8f08d277d72704eeb6b518a554bd6f5d904aea

SHA256
832c62f71c5b1af187b7c48a30871af8fdb7942c95d8c172f3b92635d387b729

SHA512
83dd4ad13e31c64403a4aa5b3ecc5c844a6f8ad71e5dac8b4fa8c6ad5c09277f6fac72db4258f2df84d571436f0f4d60b7a599d11bfdea32a2fbfa4b09109fba

Download Submit
memory/228-133-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/228-130-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/228-146-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/984-132-0x0000000000000000-mapping.dmp

Download
memory/1376-131-0x0000000000000000-mapping.dmp

Download
memory/3680-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3680-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3680-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3680-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3680-135-0x0000000000000000-mapping.dmp

Download
memory/3680-147-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4388-140-0x0000000000000000-mapping.dmp

Download
memory/4620-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads