lokibot | 16f278621ca4e51187507b4eb6568bd0b50cd76bc9d62c801a9febcd7480bdef

Resubmissions

21-09-2023 11:33

230921-nn95qafg3v 10

02-11-2022 12:12

221102-pdb1lsbga7 10

02-11-2022 12:08

221102-pa3n6abfh9 10

04-10-2022 19:21

221004-x2v3dscae5 10

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order No-079 DT 03.10.2022.exe
Size

371KB
MD5

06d111e86da46ee91aad0b9e3c4ceb7c
SHA1

8fe930a374cd43bc4b1d57f79c6beef78ff77042
SHA256

d7d73c00b7da86c119784a524a81220be76a1804f731ba08618922ef448bdd3c
SHA512

5a3a92361846a9eb2a613e3d1abd287cd68d7cf702950e7d344bd92ddb1b839894c1195750a970b2b85277a80636a2eefb72ff179d179f657e4882a3e81f84f0
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/zH3F3rZ30fPMUYjGE:lToPWBv/cpGrU3y8tGzXFbZ0fE3iE

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

impmxacrhmmlzem.exe

pid process

2736 impmxacrhmmlzem.exe

pid	process
2736	impmxacrhmmlzem.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order No-079 DT 03.10.2022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Purchase Order No-079 DT 03.10.2022.exe

Loads dropped DLL 1 IoCs

Processes:

impmxacrhmmlzem.exe

pid process

3748 impmxacrhmmlzem.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3748	impmxacrhmmlzem.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

impmxacrhmmlzem.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	impmxacrhmmlzem.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	impmxacrhmmlzem.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	impmxacrhmmlzem.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

impmxacrhmmlzem.exe

description pid process target process

PID 2736 set thread context of 3748 2736 impmxacrhmmlzem.exe impmxacrhmmlzem.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

impmxacrhmmlzem.exe

description pid process

Token: SeDebugPrivilege 3748 impmxacrhmmlzem.exe

description	pid	process	target process
PID 2736 set thread context of 3748	2736	impmxacrhmmlzem.exe	impmxacrhmmlzem.exe

description	pid	process
Token: SeDebugPrivilege	3748	impmxacrhmmlzem.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Purchase Order No-079 DT 03.10.2022.exeimpmxacrhmmlzem.exe

description	pid	process	target process
PID 2476 wrote to memory of 2736	2476	Purchase Order No-079 DT 03.10.2022.exe	impmxacrhmmlzem.exe
PID 2476 wrote to memory of 2736	2476	Purchase Order No-079 DT 03.10.2022.exe	impmxacrhmmlzem.exe
PID 2476 wrote to memory of 2736	2476	Purchase Order No-079 DT 03.10.2022.exe	impmxacrhmmlzem.exe
PID 2736 wrote to memory of 3748	2736	impmxacrhmmlzem.exe	impmxacrhmmlzem.exe
PID 2736 wrote to memory of 3748	2736	impmxacrhmmlzem.exe	impmxacrhmmlzem.exe
PID 2736 wrote to memory of 3748	2736	impmxacrhmmlzem.exe	impmxacrhmmlzem.exe
PID 2736 wrote to memory of 3748	2736	impmxacrhmmlzem.exe	impmxacrhmmlzem.exe

outlook_office_path 1 IoCs

Processes:

impmxacrhmmlzem.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	impmxacrhmmlzem.exe

outlook_win_path 1 IoCs

Processes:

impmxacrhmmlzem.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	impmxacrhmmlzem.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order No-079 DT 03.10.2022.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order No-079 DT 03.10.2022.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe
"C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe
"C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe
Filesize
6KB

MD5
58dae549a95522ce74dfda819bc2b8b5

SHA1
7941b02cfa73b5ea89dc684c596b4e8cfe6dcba5

SHA256
72bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2

SHA512
d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba

Download Submit
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe
Filesize
6KB

MD5
58dae549a95522ce74dfda819bc2b8b5

SHA1
7941b02cfa73b5ea89dc684c596b4e8cfe6dcba5

SHA256
72bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2

SHA512
d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba

Download Submit
C:\Users\Admin\AppData\Local\Temp\impmxacrhmmlzem.exe
Filesize
6KB

MD5
58dae549a95522ce74dfda819bc2b8b5

SHA1
7941b02cfa73b5ea89dc684c596b4e8cfe6dcba5

SHA256
72bf301c8a8486fb02c1dd1567326282c99048b3ed122040ce4718c47c4d6cc2

SHA512
d6277e8218bd7da69beedd5f437dcb8dac849458d6aeb139064b8c27731da4ab5b0f086d827224015f5ce35dfa22c17fa7b5fba0cc98804d7be8b26e031dacba

Download Submit
C:\Users\Admin\AppData\Local\Temp\loouoa.ovn
Filesize
104KB

MD5
49c0e5426873d5c391859eff70882aea

SHA1
d67be96737c57614be9af63ae1b8d99ac2b84a94

SHA256
311b6c210ffe3dcbed2b5419005e053dc7cb1c9f88a6f46ef4a462df2e0cdc37

SHA512
453b6d112271b117e7a5cdcdec9f8d2782b8cd14da4f79e6659fa479a79974366baaab3db3876d33b98194753c534664f7cce9f2185dde0d2b4322d1f3d28cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzlkuq.opk
Filesize
4KB

MD5
171403f28cff9e0bb2b9fb1af649ef29

SHA1
a46d3a9163ac7be7502f9db907eefd0c0ba4343f

SHA256
349bcf4cd16b2045cb4bf9ea2df6e06f1ed442015e419bf045b4122ec0a828c1

SHA512
bd381f3527afbe40ac047a9385ee530d2846673c3fa1c9543edbd1f704b468806a7c4f7ec1615e1f6a85d7ce59f42300d6de628243d4a5a47fb9df94985f38a8

Download Submit
memory/2736-132-0x0000000000000000-mapping.dmp

Download
memory/3748-137-0x0000000000000000-mapping.dmp

Download