lokibot | 5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53

General

Target

5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
Size

212KB
MD5

8dde6ae8991612c769a66608dd50fe8f
SHA1

acff562f6e60abf3cfb0dccc2097bc0576bade70
SHA256

5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53
SHA512

4ce90dd6899fc311523bbf0c00676a2456a6b888287bb33278aac567348718d808ae52392b7a12506de2dca24e9cc94ab73c02e514c1282e8e2f974c10f93387

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://ipvhost.duckdns.org:6060/host/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Loads dropped DLL 3 IoCs

pid	Process
1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1368 set thread context of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4428	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80
PID 1368 wrote to memory of 4428	1368	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe	80

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
"C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
  "C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\psychobiologist.dll

Filesize
56KB

MD5
b84990430b17727c2a3fd7cd0485f80d

SHA1
45c66d25485ff40522e16ab031770520ad9de903

SHA256
30e7a9b1043e4d01503b0d5998b4703f66532ddacb2dcfdad1932fb3e3fc083e

SHA512
922eaf2633402ddec2a1fcfeda84a843ffebfc481feb28b79c637b3b978b04c15084877a32c5a55b2dd79a74a7fdb9e3149abfe18bdf0ea6b899c4964fbcd6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\psychobiologist.dll

Filesize
56KB

MD5
b84990430b17727c2a3fd7cd0485f80d

SHA1
45c66d25485ff40522e16ab031770520ad9de903

SHA256
30e7a9b1043e4d01503b0d5998b4703f66532ddacb2dcfdad1932fb3e3fc083e

SHA512
922eaf2633402ddec2a1fcfeda84a843ffebfc481feb28b79c637b3b978b04c15084877a32c5a55b2dd79a74a7fdb9e3149abfe18bdf0ea6b899c4964fbcd6c3

Download Submit
memory/1368-133-0x0000000003000000-0x000000000300F000-memory.dmp

Filesize
60KB

Download
memory/4428-135-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4428-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4428-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4428-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing