lokibot | c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RLOI JS01-2.exe
Size

370KB
MD5

82773c3d9fe4c2aecf34451f482e29c4
SHA1

6051b7f6a267911b4536c8c467b7237ccfd0cece
SHA256

c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd
SHA512

e7c9eb748f5f1531273475afd563dd6e7da3a1731f7835d0b3b613675aa9065539f00fb320fe121f1999d012b4e7c9a9c220868e09533331b8d4dd0e0953a016
SSDEEP

6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/cr+GM3qnWEbhGi:lToPWBv/cpGrU3y8tGclMreX

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

xbadflzhw.exe

pid process

976 xbadflzhw.exe
Loads dropped DLL 7 IoCs

Processes:

RLOI JS01-2.exexbadflzhw.exexbadflzhw.exe

pid process

1204 RLOI JS01-2.exe
1204 RLOI JS01-2.exe
1204 RLOI JS01-2.exe
1204 RLOI JS01-2.exe
1204 RLOI JS01-2.exe
976 xbadflzhw.exe
1504 xbadflzhw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
976	xbadflzhw.exe

pid	process
1204	RLOI JS01-2.exe
1204	RLOI JS01-2.exe
1204	RLOI JS01-2.exe
1204	RLOI JS01-2.exe
1204	RLOI JS01-2.exe
976	xbadflzhw.exe
1504	xbadflzhw.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

xbadflzhw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xbadflzhw.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xbadflzhw.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	xbadflzhw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xbadflzhw.exe

description pid process target process

PID 976 set thread context of 1504 976 xbadflzhw.exe xbadflzhw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xbadflzhw.exe

description pid process

Token: SeDebugPrivilege 1504 xbadflzhw.exe

description	pid	process	target process
PID 976 set thread context of 1504	976	xbadflzhw.exe	xbadflzhw.exe

description	pid	process
Token: SeDebugPrivilege	1504	xbadflzhw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

RLOI JS01-2.exexbadflzhw.exe

description	pid	process	target process
PID 1204 wrote to memory of 976	1204	RLOI JS01-2.exe	xbadflzhw.exe
PID 1204 wrote to memory of 976	1204	RLOI JS01-2.exe	xbadflzhw.exe
PID 1204 wrote to memory of 976	1204	RLOI JS01-2.exe	xbadflzhw.exe
PID 1204 wrote to memory of 976	1204	RLOI JS01-2.exe	xbadflzhw.exe
PID 976 wrote to memory of 1504	976	xbadflzhw.exe	xbadflzhw.exe
PID 976 wrote to memory of 1504	976	xbadflzhw.exe	xbadflzhw.exe
PID 976 wrote to memory of 1504	976	xbadflzhw.exe	xbadflzhw.exe
PID 976 wrote to memory of 1504	976	xbadflzhw.exe	xbadflzhw.exe
PID 976 wrote to memory of 1504	976	xbadflzhw.exe	xbadflzhw.exe

outlook_office_path 1 IoCs

Processes:

xbadflzhw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xbadflzhw.exe

outlook_win_path 1 IoCs

Processes:

xbadflzhw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xbadflzhw.exe

C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2.exe
"C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
"C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
"C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"
3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbxzgdpwgp.f
Filesize
4KB

MD5
abd574f1939214a11f1da45515793443

SHA1
ab409b781452345c431deb3f2d57864fa96b284d

SHA256
b7a19a9d2efd461d66706c5e86397c6e1625e6fad4ac2302258f3f9e7d4ae90b

SHA512
129ca74cd491040c8b3f4d2a4cfa41ec02c6ae093331a970dcdbc2c0fa06038f471739701f7101236af8d994253c66604c4a33e0bdf68730ad3ee037ff9ba3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzoshoiydx.q
Filesize
104KB

MD5
9be9047854d35fe77b8bb9f3f4b5ba3d

SHA1
9f3cf7f31e3c97481af049c5556f0b1d86300fb1

SHA256
bbe16f8662580d956ebb86f4d9342bbdb4ae7dd23d60b0db4dff2f91a36ce738

SHA512
04cba44edc77957ca3fe6452d6c5af2ed0abbeb686505418761bd11c9832bd8b8b4c30c0c3e4679e8a061e6bfa8404a0a809676e6eb97bd46f86c523370af5f9

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
\Users\Admin\AppData\Local\Temp\xbadflzhw.exe
Filesize
5KB

MD5
72799033862c59dd05e3f9f4d8d207b1

SHA1
35213e76519590866a0438e2aad3f8f9676bcde6

SHA256
3d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14

SHA512
b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01

Download Submit
memory/976-60-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1504-66-0x00000000004139DE-mapping.dmp

Download