lokibot | ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead

General

Target

ProductDetails21638.exe
Size

1.4MB
MD5

e8443af1626f6ccdff4e82cfd293f232
SHA1

9b6a9922c4f1475bf9bf1dd2f71f88905e4a8d90
SHA256

ea6f6d9fab4b60bafdd8730e249d50c7a1851e4a4dedebc779d266502a0f6ead
SHA512

0e8d74490b486320fc3ad65e1f10af78a8da7d83170f0b79b8f9b56a74707ea920599467212886acdf09d3e61b805c7e3468ef96ad052b4adbd9706a55b53d62
SSDEEP

12288:xnjoVnNCBllTDonWZQzjFeM6DJOjB9sTTHyaTE78+agEWflDY8xulEV0VrB2dfb1:UNclQnYQb6VOWQ77agEilDrxulEVQkp

Score

10^/10

lokibot wshrat collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://45.155.165.70/se8se/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

wshrat

C2

http://rze6.sytes.net:4000

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 16 IoCs

flow	pid	Process
27	4184	wscript.exe
32	4184	wscript.exe
33	4184	wscript.exe
34	4184	wscript.exe
35	4184	wscript.exe
36	4184	wscript.exe
37	4184	wscript.exe
38	4184	wscript.exe
39	4184	wscript.exe
40	4184	wscript.exe
41	4184	wscript.exe
42	4184	wscript.exe
44	4184	wscript.exe
45	4184	wscript.exe
46	4184	wscript.exe
47	4184	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ProductDetails21638.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.js	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ProductDetails21638.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ProductDetails21638.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ProductDetails21638.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utmlnipujo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tovisqmi\\Utmlnipujo.exe\""	ProductDetails21638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ytdkdurodzdbuild = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Ytdkdurodzdbuild.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3208 set thread context of 3596	3208	ProductDetails21638.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	ProductDetails21638.exe

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	33	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	35	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	38	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	41	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	44	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	45	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	47	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	34	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	36	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	37	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	40	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	32	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	39	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	27	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	42	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript
HTTP User-Agent header	46	WSHRAT\|18024990\|TMKNGOMU\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 5/10/2022\|JavaScript

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
736	powershell.exe
736	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3596	ProductDetails21638.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	3208	ProductDetails21638.exe
Token: SeDebugPrivilege	3596	ProductDetails21638.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 736	3208	ProductDetails21638.exe	88
PID 3208 wrote to memory of 736	3208	ProductDetails21638.exe	88
PID 3208 wrote to memory of 736	3208	ProductDetails21638.exe	88
PID 3208 wrote to memory of 3856	3208	ProductDetails21638.exe	91
PID 3208 wrote to memory of 3856	3208	ProductDetails21638.exe	91
PID 3208 wrote to memory of 3856	3208	ProductDetails21638.exe	91
PID 3856 wrote to memory of 4184	3856	WScript.exe	93
PID 3856 wrote to memory of 4184	3856	WScript.exe	93
PID 3856 wrote to memory of 4184	3856	WScript.exe	93
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92
PID 3208 wrote to memory of 3596	3208	ProductDetails21638.exe	92

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ProductDetails21638.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ProductDetails21638.exe

C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe
"C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ytdkdurodzdbuild.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Ytdkdurodzdbuild.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4184
- C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe
  C:\Users\Admin\AppData\Local\Temp\ProductDetails21638.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ytdkdurodzdbuild.js

Filesize
21KB

MD5
cbae567eae4873a19dc1d77885e3ea0f

SHA1
669b5cce2f71651aac783b714140e20552c244fe

SHA256
30e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79

SHA512
85a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ytdkdurodzdbuild.js

Filesize
21KB

MD5
cbae567eae4873a19dc1d77885e3ea0f

SHA1
669b5cce2f71651aac783b714140e20552c244fe

SHA256
30e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79

SHA512
85a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Ytdkdurodzdbuild.js

Filesize
21KB

MD5
cbae567eae4873a19dc1d77885e3ea0f

SHA1
669b5cce2f71651aac783b714140e20552c244fe

SHA256
30e25144d8c3639fad6741c664ce2444076a53176acd50c0760c71c800c05d79

SHA512
85a25484308c03b70418a86878c67a0b0689b1c5f55a78e4c835d5ccb3b256b4b53344d97f6779320d6d0ee50077afb9938e95a32b5058a3c4df100db481c4c9

Download Submit
memory/736-137-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/736-138-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/736-139-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/736-140-0x0000000007D20000-0x000000000839A000-memory.dmp

Filesize
6.5MB

Download
memory/736-141-0x0000000006A80000-0x0000000006A9A000-memory.dmp

Filesize
104KB

Download
memory/736-135-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/736-136-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/3208-132-0x0000000000E80000-0x0000000000FE4000-memory.dmp

Filesize
1.4MB

Download
memory/3208-133-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/3596-148-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3596-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3596-151-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3596-152-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads