lokibot | 16bafc095597c2a0de4683bf79e757cf460a6a783acab20c97efa71b323c0100

General

Target

RLOI JS01-2pdf.exe
Size

371KB
MD5

f01b2bb2e92cd7e511d5b30bd09decac
SHA1

bd15c817b686c0296b38422551759e9bb4a0f6fc
SHA256

16bafc095597c2a0de4683bf79e757cf460a6a783acab20c97efa71b323c0100
SHA512

68fbaec7ad4abe2b8e3cd11f41fa1ecc004eadb1106f26ed75cc73a2b1ee20e5f7c8057a859915d0a71b84c32715507f69045fc8dc23673fe0401a25068eb446
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/H3f1NsjEXL2eDAFoH:lToPWBv/cpGrU3y8tG4jEXLHDAFy

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 1 IoCs

pid	Process
3408	zwhnqcvgxi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	RLOI JS01-2pdf.exe

Loads dropped DLL 1 IoCs

pid	Process
1056	zwhnqcvgxi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	zwhnqcvgxi.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	zwhnqcvgxi.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	zwhnqcvgxi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 1056	3408	zwhnqcvgxi.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	zwhnqcvgxi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3408	1456	RLOI JS01-2pdf.exe	86
PID 1456 wrote to memory of 3408	1456	RLOI JS01-2pdf.exe	86
PID 1456 wrote to memory of 3408	1456	RLOI JS01-2pdf.exe	86
PID 3408 wrote to memory of 1056	3408	zwhnqcvgxi.exe	88
PID 3408 wrote to memory of 1056	3408	zwhnqcvgxi.exe	88
PID 3408 wrote to memory of 1056	3408	zwhnqcvgxi.exe	88
PID 3408 wrote to memory of 1056	3408	zwhnqcvgxi.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	zwhnqcvgxi.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	zwhnqcvgxi.exe

C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe
  "C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe
    "C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rvuymkbvb.nk

Filesize
4KB

MD5
12841c968120006c622d81cc5c4cb51a

SHA1
d402a0832788ee1fa143e25a0544d959d399f625

SHA256
0a3184a8864fb021307ec506faad13215e323b30a6fd76196d2d5257b5c9945e

SHA512
59ad91e3c2824d682eb9fe742af1a9a1b07f42727ee9fb8d47c66549b9b083621f9f51ceb80f787ae4d1061fe6f97887797b15c0b2e4e58023f8b0a58efd2396

Download Submit
C:\Users\Admin\AppData\Local\Temp\usvwwwrhx.mlb

Filesize
104KB

MD5
a9ccab0a00e9d713e1b32a7b70cb3ac4

SHA1
93baddc23779b7f6e2a59e8e97b579d0c62e0b7f

SHA256
6f8c012194d16dc7376816c2ee30e7d8b411c1178f4ed6237561cf7b7a7e34eb

SHA512
15d595fc987fa08d1af4d6806a36b7457fa6533d6c835c0e74ec7d54d290b57c7b479b11111e6c2d7068b0b78c9923b1d8d49754d0f98e917d8a8e064f8d1c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe

Filesize
6KB

MD5
179fe00f14452a13318d76080d99d2f4

SHA1
ebd25d4ff1d67786dd0011434a8024c4592ec4a8

SHA256
ee79218108b5cf72de7f693a215decf0ef104d7bfe61527aa9a4d0b2c38faf52

SHA512
7a9b8c3d963d11bb2d903a0084514a104eb9e6ebe23768793ca680b7878fe163708b5d4922d8c15c23312fcd32f24b722e35f833a70464678fdc1cc4718b2fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe

Filesize
6KB

MD5
179fe00f14452a13318d76080d99d2f4

SHA1
ebd25d4ff1d67786dd0011434a8024c4592ec4a8

SHA256
ee79218108b5cf72de7f693a215decf0ef104d7bfe61527aa9a4d0b2c38faf52

SHA512
7a9b8c3d963d11bb2d903a0084514a104eb9e6ebe23768793ca680b7878fe163708b5d4922d8c15c23312fcd32f24b722e35f833a70464678fdc1cc4718b2fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwhnqcvgxi.exe

Filesize
6KB

MD5
179fe00f14452a13318d76080d99d2f4

SHA1
ebd25d4ff1d67786dd0011434a8024c4592ec4a8

SHA256
ee79218108b5cf72de7f693a215decf0ef104d7bfe61527aa9a4d0b2c38faf52

SHA512
7a9b8c3d963d11bb2d903a0084514a104eb9e6ebe23768793ca680b7878fe163708b5d4922d8c15c23312fcd32f24b722e35f833a70464678fdc1cc4718b2fee

Download Submit

Analysis

Sharing