lokibot | 9d3a6225b5afb12815d37e34f88cf8d33d366c401bb53ae23a75599361e33bde

General

Target

Fluxo de Caixa.exe
Size

371KB
MD5

01b936cf783fe182a628c65e70dfebd9
SHA1

273ca25fc53e1e07aa2e398bb5850c1c75863bc5
SHA256

9d3a6225b5afb12815d37e34f88cf8d33d366c401bb53ae23a75599361e33bde
SHA512

dd3134c70d933ff9dffc280d2992776776b5e257846884dacd6fbb077a455ebeb5158e27da6b5dd0c0083d82f3c5399abb6e7a6da91daeff4f73d0b7cb148bc3
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/a02zubNdw0I:lToPWBv/cpGrU3y8tGgubNd6

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

fnnegxcnfza.exefnnegxcnfza.exe

pid process

3160 fnnegxcnfza.exe
2168 fnnegxcnfza.exe

pid	process
3160	fnnegxcnfza.exe
2168	fnnegxcnfza.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fluxo de Caixa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Fluxo de Caixa.exe

Loads dropped DLL 1 IoCs

Processes:

fnnegxcnfza.exe

pid process

4356 fnnegxcnfza.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4356	fnnegxcnfza.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fnnegxcnfza.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fnnegxcnfza.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	fnnegxcnfza.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fnnegxcnfza.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fnnegxcnfza.exe

description pid process target process

PID 3160 set thread context of 4356 3160 fnnegxcnfza.exe fnnegxcnfza.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fnnegxcnfza.exe

description pid process

Token: SeDebugPrivilege 4356 fnnegxcnfza.exe

description	pid	process	target process
PID 3160 set thread context of 4356	3160	fnnegxcnfza.exe	fnnegxcnfza.exe

description	pid	process
Token: SeDebugPrivilege	4356	fnnegxcnfza.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Fluxo de Caixa.exefnnegxcnfza.exe

description	pid	process	target process
PID 4944 wrote to memory of 3160	4944	Fluxo de Caixa.exe	fnnegxcnfza.exe
PID 4944 wrote to memory of 3160	4944	Fluxo de Caixa.exe	fnnegxcnfza.exe
PID 4944 wrote to memory of 3160	4944	Fluxo de Caixa.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 2168	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 2168	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 2168	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 4356	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 4356	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 4356	3160	fnnegxcnfza.exe	fnnegxcnfza.exe
PID 3160 wrote to memory of 4356	3160	fnnegxcnfza.exe	fnnegxcnfza.exe

outlook_office_path 1 IoCs

Processes:

fnnegxcnfza.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fnnegxcnfza.exe

outlook_win_path 1 IoCs

Processes:

fnnegxcnfza.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fnnegxcnfza.exe

C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxo de Caixa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"
3⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
"C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
Filesize
6KB

MD5
7cf4ea82535ade82b1c712d20fc29b7e

SHA1
12aec20e69d3128d79af90f080cab507c2a39cf5

SHA256
8256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469

SHA512
dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
Filesize
6KB

MD5
7cf4ea82535ade82b1c712d20fc29b7e

SHA1
12aec20e69d3128d79af90f080cab507c2a39cf5

SHA256
8256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469

SHA512
dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
Filesize
6KB

MD5
7cf4ea82535ade82b1c712d20fc29b7e

SHA1
12aec20e69d3128d79af90f080cab507c2a39cf5

SHA256
8256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469

SHA512
dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnnegxcnfza.exe
Filesize
6KB

MD5
7cf4ea82535ade82b1c712d20fc29b7e

SHA1
12aec20e69d3128d79af90f080cab507c2a39cf5

SHA256
8256f8a9f9059ecf6c71b29bba79230426aa658fda8bae17b729f6b97edfd469

SHA512
dc1ef3cce843f7badf7fd0b14ab20c4f470f2ad6e4b3f033124d2eeb8114081e92037ea6d1fe98fe18522c8fcb734fccc275a96a40d9dd24830eb9471947b682

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsvkvrvdfb.po
Filesize
104KB

MD5
c55695b69f3e38ad70a2c6fbb3518a97

SHA1
42b20c90103af7176b7549adfab8d3c3fcf1f5d8

SHA256
e7d12a75068e15a01a48e08bd11527396fa9445a761ddc4530d72e9089267011

SHA512
ccc9aebd70218b34066f2194fca2af40426023302799dd08cd155efb818023a61ec79d5445e803ade067ac6506c424be3dc93dc7fb1148797572a268ec3197a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\shaelzmn.wr
Filesize
4KB

MD5
f31d1ffd7c8559e89cf35e1d87ef8d97

SHA1
6851155ae1d3920aadaa440dc54fe46935ad2d0c

SHA256
97c3725a2759814ad8e67c1c08f53e2bfacd6e66c0a97aa881549641e8b8ff06

SHA512
c22c66570d12617b0dcd7f49eb5e2433ba209a6fbf136a14d9ec51d7ab840ef51791de69c2f778a653116e6773c678c0dde80c834c0ea11abe6b410bd85c6e22

Download Submit
memory/3160-132-0x0000000000000000-mapping.dmp

Download
memory/4356-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads