lokibot | 9e08adec6e70f3bcc1cacd9512cf7ba7a1592b848e1c00996896f118ce744e09

General

Target

DRAFT FCR.exe
Size

931KB
MD5

62c8dbcd33abd9350c3a260bc739440c
SHA1

1afeb4b6e349eac8c3d47b317d8ac754690c4961
SHA256

2d298cd1f78a6a239b173d32a4e9cf6a6e62ff06858c10a97ed947519c4fd666
SHA512

b7611d20f0d12f2b99b2103ff341028ac8050df1ad732e164619bdf3d49cf4fab2cdaabccd3763cac4e6487910b563f5d25b154e94e21ee64129935b08200616
SSDEEP

24576:Wq8eSoMZRuicOeJwFiJcUItBVqKYKgxcjSuqwCBOrn:CDoaRP1aJcUislTs

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gk17/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAFT FCR.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	DRAFT FCR.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DRAFT FCR.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1640	1720	DRAFT FCR.exe	31

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1720	DRAFT FCR.exe
1720	DRAFT FCR.exe
1720	DRAFT FCR.exe
1720	DRAFT FCR.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1640	DRAFT FCR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	DRAFT FCR.exe
Token: SeDebugPrivilege	1640	DRAFT FCR.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 760	1720	DRAFT FCR.exe	27
PID 1720 wrote to memory of 760	1720	DRAFT FCR.exe	27
PID 1720 wrote to memory of 760	1720	DRAFT FCR.exe	27
PID 1720 wrote to memory of 760	1720	DRAFT FCR.exe	27
PID 1720 wrote to memory of 1100	1720	DRAFT FCR.exe	28
PID 1720 wrote to memory of 1100	1720	DRAFT FCR.exe	28
PID 1720 wrote to memory of 1100	1720	DRAFT FCR.exe	28
PID 1720 wrote to memory of 1100	1720	DRAFT FCR.exe	28
PID 1720 wrote to memory of 1092	1720	DRAFT FCR.exe	29
PID 1720 wrote to memory of 1092	1720	DRAFT FCR.exe	29
PID 1720 wrote to memory of 1092	1720	DRAFT FCR.exe	29
PID 1720 wrote to memory of 1092	1720	DRAFT FCR.exe	29
PID 1720 wrote to memory of 1648	1720	DRAFT FCR.exe	30
PID 1720 wrote to memory of 1648	1720	DRAFT FCR.exe	30
PID 1720 wrote to memory of 1648	1720	DRAFT FCR.exe	30
PID 1720 wrote to memory of 1648	1720	DRAFT FCR.exe	30
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31
PID 1720 wrote to memory of 1640	1720	DRAFT FCR.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DRAFT FCR.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DRAFT FCR.exe

C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
"C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
  2⤵
  PID:760
- C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
  2⤵
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
  2⤵
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe
  "C:\Users\Admin\AppData\Local\Temp\DRAFT FCR.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1720-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1720-59-0x0000000005D00000-0x0000000005D5E000-memory.dmp

Filesize
376KB

Download
memory/1720-54-0x0000000000220000-0x0000000000310000-memory.dmp

Filesize
960KB

Download
memory/1720-58-0x0000000007F70000-0x0000000008024000-memory.dmp

Filesize
720KB

Download
memory/1720-57-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/1720-56-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing