lokibot | d642e4966246afd1089bd91f140c72d9da492d75f92f28554530c793c566c548

Analysis

max time kernel
40s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Additional PO For 27-10-2022.exe
Size

360KB
MD5

8db76eb4fde3e13bbb5ae8d59d1d835e
SHA1

6cd9f213f9462886212ecabaca87af8aa8d6f01e
SHA256

d642e4966246afd1089bd91f140c72d9da492d75f92f28554530c793c566c548
SHA512

aed6ef24c40b13dcd3ef0df09edd78b351171e7bea215c642a3516c74ce4a78b664dc4de7baf19b03295bbdd35a6ea2583b267b217f9d36fcf0f8fb5ee33e270
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/EA4/rSrB+4fV0KXlmJnFtcmf:lToPWBv/cpGrU3y8tGEA4GQ4fVFXGvcq

Score

10^/10

lokibot collection persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

http://darls.us/am/ds/DEC.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

leqdumdz.exe

pid process

1160 leqdumdz.exe

pid	process
1160	leqdumdz.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-74-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1992-76-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Loads dropped DLL 11 IoCs

Processes:

Additional PO For 27-10-2022.exeleqdumdz.exeleqdumdz.exeWerFault.exe

pid	process
1424	Additional PO For 27-10-2022.exe
1424	Additional PO For 27-10-2022.exe
1424	Additional PO For 27-10-2022.exe
1424	Additional PO For 27-10-2022.exe
1160	leqdumdz.exe
1992	leqdumdz.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	leqdumdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	leqdumdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	leqdumdz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

leqdumdz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\rqehdcrxpejw = "C:\\Users\\Admin\\AppData\\Roaming\\jsoqumopqpn\\qkbgjunk.exe"	leqdumdz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

leqdumdz.exe

description pid process target process

PID 1160 set thread context of 1992 1160 leqdumdz.exe leqdumdz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 1160 WerFault.exe leqdumdz.exe

description	pid	process	target process
PID 1160 set thread context of 1992	1160	leqdumdz.exe	leqdumdz.exe

pid	pid_target	process	target process
1800	1160	WerFault.exe	leqdumdz.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Additional PO For 27-10-2022.exeleqdumdz.exe

description	pid	process	target process
PID 1424 wrote to memory of 1160	1424	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 1424 wrote to memory of 1160	1424	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 1424 wrote to memory of 1160	1424	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 1424 wrote to memory of 1160	1424	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 1160 wrote to memory of 1992	1160	leqdumdz.exe	leqdumdz.exe
PID 1160 wrote to memory of 1992	1160	leqdumdz.exe	leqdumdz.exe
PID 1160 wrote to memory of 1992	1160	leqdumdz.exe	leqdumdz.exe
PID 1160 wrote to memory of 1992	1160	leqdumdz.exe	leqdumdz.exe
PID 1160 wrote to memory of 1992	1160	leqdumdz.exe	leqdumdz.exe
PID 1160 wrote to memory of 1800	1160	leqdumdz.exe	WerFault.exe
PID 1160 wrote to memory of 1800	1160	leqdumdz.exe	WerFault.exe
PID 1160 wrote to memory of 1800	1160	leqdumdz.exe	WerFault.exe
PID 1160 wrote to memory of 1800	1160	leqdumdz.exe	WerFault.exe

outlook_office_path 1 IoCs

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	leqdumdz.exe

outlook_win_path 1 IoCs

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	leqdumdz.exe

C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe
"C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 236
3⤵
- Loads dropped DLL
- Program crash
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akycimzecpf.s
Filesize
46KB

MD5
e16e6b878bda2f24cfb1440f2cd3137a

SHA1
73a8a9f2f74587e0707929f2865561fee5346880

SHA256
83fa255898cfecb38c3ebdb604b00ac7ef90622b9d742894aa44dfcbe19d4abe

SHA512
455cf25a8058191d5c19b58b74df572e0561e801504c97ab53cfbe8a6f40c3f9a5e797c809b978ca1f02a4bab6ed39a7e5147276d15d0570fe4775b55ed134d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtanf.q
Filesize
6KB

MD5
420c885d53f50bfce5c5e1696e4925d0

SHA1
46912190f382cc49bf2e0a10040998011169daf4

SHA256
ebb52bddbe85302869db400d82350ff7b9f6c52c803eff0b524ec7c3b03fadd5

SHA512
38fb1b6f3d6d92eb8286e045bb43a71bf93f954b357950037adfcb187ec6d447af9d3c3a262c2ddceb50aa45e3b5785b9e85a0bb89e155d0f0bb4bb3a8335c1a

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1992-66-0x00000000004A30E0-mapping.dmp

Download
memory/1992-74-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1992-76-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download