lokibot | d642e4966246afd1089bd91f140c72d9da492d75f92f28554530c793c566c548

General

Target

Additional PO For 27-10-2022.exe
Size

360KB
MD5

8db76eb4fde3e13bbb5ae8d59d1d835e
SHA1

6cd9f213f9462886212ecabaca87af8aa8d6f01e
SHA256

d642e4966246afd1089bd91f140c72d9da492d75f92f28554530c793c566c548
SHA512

aed6ef24c40b13dcd3ef0df09edd78b351171e7bea215c642a3516c74ce4a78b664dc4de7baf19b03295bbdd35a6ea2583b267b217f9d36fcf0f8fb5ee33e270
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/EA4/rSrB+4fV0KXlmJnFtcmf:lToPWBv/cpGrU3y8tGEA4GQ4fVFXGvcq

Score

10^/10

lokibot collection persistence spyware stealer trojan upx

Malware Config

Extracted

Family

lokibot

C2

http://darls.us/am/ds/DEC.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

leqdumdz.exe

pid process

384 leqdumdz.exe

pid	process
384	leqdumdz.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3116-139-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/3116-140-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Additional PO For 27-10-2022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Additional PO For 27-10-2022.exe

Loads dropped DLL 1 IoCs

Processes:

leqdumdz.exe

pid process

3116 leqdumdz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3116	leqdumdz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	leqdumdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	leqdumdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	leqdumdz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

leqdumdz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqehdcrxpejw = "C:\\Users\\Admin\\AppData\\Roaming\\jsoqumopqpn\\qkbgjunk.exe"	leqdumdz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

leqdumdz.exe

description pid process target process

PID 384 set thread context of 3116 384 leqdumdz.exe leqdumdz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4428 384 WerFault.exe leqdumdz.exe

description	pid	process	target process
PID 384 set thread context of 3116	384	leqdumdz.exe	leqdumdz.exe

pid	pid_target	process	target process
4428	384	WerFault.exe	leqdumdz.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Additional PO For 27-10-2022.exeleqdumdz.exe

description	pid	process	target process
PID 3480 wrote to memory of 384	3480	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 3480 wrote to memory of 384	3480	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 3480 wrote to memory of 384	3480	Additional PO For 27-10-2022.exe	leqdumdz.exe
PID 384 wrote to memory of 3116	384	leqdumdz.exe	leqdumdz.exe
PID 384 wrote to memory of 3116	384	leqdumdz.exe	leqdumdz.exe
PID 384 wrote to memory of 3116	384	leqdumdz.exe	leqdumdz.exe
PID 384 wrote to memory of 3116	384	leqdumdz.exe	leqdumdz.exe

outlook_office_path 1 IoCs

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	leqdumdz.exe

outlook_win_path 1 IoCs

Processes:

leqdumdz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	leqdumdz.exe

C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe
"C:\Users\Admin\AppData\Local\Temp\Additional PO For 27-10-2022.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
"C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 688
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 384 -ip 384
1⤵
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akycimzecpf.s
Filesize
46KB

MD5
e16e6b878bda2f24cfb1440f2cd3137a

SHA1
73a8a9f2f74587e0707929f2865561fee5346880

SHA256
83fa255898cfecb38c3ebdb604b00ac7ef90622b9d742894aa44dfcbe19d4abe

SHA512
455cf25a8058191d5c19b58b74df572e0561e801504c97ab53cfbe8a6f40c3f9a5e797c809b978ca1f02a4bab6ed39a7e5147276d15d0570fe4775b55ed134d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqdumdz.exe
Filesize
58KB

MD5
a483c629219e5d82781ff3a69136791c

SHA1
352a008b2ed794ab71e7d32edce9159773fff16e

SHA256
33e0209ab24e8f0a59c33d47b908563cd2f2c6b3f33ed2b33b3c343a47f54177

SHA512
832716ecf8f0c5df5be1e2a888ab21f6d9b66e7650982072c3b68892f2556fe99215fceef5a36a1123facac491c03de7a5bd55c240690c2d899143bad2ad65af

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtanf.q
Filesize
6KB

MD5
420c885d53f50bfce5c5e1696e4925d0

SHA1
46912190f382cc49bf2e0a10040998011169daf4

SHA256
ebb52bddbe85302869db400d82350ff7b9f6c52c803eff0b524ec7c3b03fadd5

SHA512
38fb1b6f3d6d92eb8286e045bb43a71bf93f954b357950037adfcb187ec6d447af9d3c3a262c2ddceb50aa45e3b5785b9e85a0bb89e155d0f0bb4bb3a8335c1a

Download Submit
memory/384-132-0x0000000000000000-mapping.dmp

Download
memory/3116-137-0x0000000000000000-mapping.dmp

Download
memory/3116-139-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3116-140-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads