lokibot | 6107d46d911270a0dff4638eb37be034995cf887f633b24a254ce2f642564fbf

General

Target

Inquiry Order.exe
Size

824KB
MD5

2330fdee646708298e2339323ddb367b
SHA1

1347f5999d92f9fdb2a598d7b9c604d84174c617
SHA256

6107d46d911270a0dff4638eb37be034995cf887f633b24a254ce2f642564fbf
SHA512

476cddb75cadb570fb0685ac68515ea501afc495afd90dcc0d15719ba9287c2c1f78b965450e00bf5dd4c0c8456571469d98484df9e4239275952c614376c93c
SSDEEP

12288:OJrR541elNwZvodPeH2mGiPPIkaXfTwhIrht6kKwemZ:ON41eBhw2mGiPwdoPweU

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://162.0.223.13/?08fequikdahgueq78uc

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Inquiry Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Inquiry Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Inquiry Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Inquiry Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Inquiry Order.exe

description pid process target process

PID 1884 set thread context of 2000 1884 Inquiry Order.exe Inquiry Order.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Inquiry Order.exe

pid process

2000 Inquiry Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Inquiry Order.exe

description pid process

Token: SeDebugPrivilege 2000 Inquiry Order.exe

description	pid	process	target process
PID 1884 set thread context of 2000	1884	Inquiry Order.exe	Inquiry Order.exe

pid	process
2000	Inquiry Order.exe

description	pid	process
Token: SeDebugPrivilege	2000	Inquiry Order.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Inquiry Order.exe

description	pid	process	target process
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe
PID 1884 wrote to memory of 2000	1884	Inquiry Order.exe	Inquiry Order.exe

outlook_office_path 1 IoCs

Processes:

Inquiry Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Inquiry Order.exe

outlook_win_path 1 IoCs

Processes:

Inquiry Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Inquiry Order.exe

C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry Order.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-56-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-70-0x00000000740E0000-0x000000007468B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-58-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-66-0x00000000004139DE-mapping.dmp

Download
memory/2000-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-57-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2000-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads