lokibot | b89449bf3d7fe4c6e077f9940c78433737f1c57e6fe04a9aa725f451fb439176

General

Target

1cf9fe75d4ac2c08c1b3e89fd85887ef.exe
Size

138KB
MD5

1cf9fe75d4ac2c08c1b3e89fd85887ef
SHA1

4bfa409a1603b623077a1f0624cab7746870db55
SHA256

b89449bf3d7fe4c6e077f9940c78433737f1c57e6fe04a9aa725f451fb439176
SHA512

c04d7c42b00f25ef5e870adccf5bb2fad339276e312fe5a568a97a15605f2a659cb8adbc1ad9afa22024f17c86696f8294a994d57324849866ceb09e24bdaf76
SSDEEP

3072:R1NjcVVnLpPuWbNJhBx7C4d5fclhwiVy7Zz5ph2A/CDVkj0uqJ:LNeZBHhjCIfclKRFt2AqDOhqJ

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 1 IoCs

pid	Process
1736	gjhoodzk.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe
1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe
1736	gjhoodzk.exe
1264	gjhoodzk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gjhoodzk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gjhoodzk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gjhoodzk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 1264	1736	gjhoodzk.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	gjhoodzk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1736	1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe	28
PID 1964 wrote to memory of 1736	1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe	28
PID 1964 wrote to memory of 1736	1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe	28
PID 1964 wrote to memory of 1736	1964	1cf9fe75d4ac2c08c1b3e89fd85887ef.exe	28
PID 1736 wrote to memory of 1264	1736	gjhoodzk.exe	30
PID 1736 wrote to memory of 1264	1736	gjhoodzk.exe	30
PID 1736 wrote to memory of 1264	1736	gjhoodzk.exe	30
PID 1736 wrote to memory of 1264	1736	gjhoodzk.exe	30
PID 1736 wrote to memory of 1264	1736	gjhoodzk.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gjhoodzk.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gjhoodzk.exe

C:\Users\Admin\AppData\Local\Temp\1cf9fe75d4ac2c08c1b3e89fd85887ef.exe
"C:\Users\Admin\AppData\Local\Temp\1cf9fe75d4ac2c08c1b3e89fd85887ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe
  "C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe
    "C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnhsfvofabe.pv

Filesize
104KB

MD5
1d9ae6815d043ed73be82dc86b2355e0

SHA1
bef16a0ebbac6ea8a3ab4788f2fd588bde121766

SHA256
1a4363f13f1e6d4b614e04d7e6e32ba8cee469eb25b94618b47c7b76235d65b3

SHA512
49246c1d29833d1743f460a220e2208752e7695c2450ca9ff0e42ef999f14053d7ab6cbe4645b5a8e352bdb6e7d03c2d49e3091ad985bee87676607781ad796a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkjtt.pwv

Filesize
4KB

MD5
544de389c15d435e822866b01a62c85c

SHA1
61306dac28a995a285411be20b4ab9e9811e64dd

SHA256
6e0c8f5e5f30dd856a1510aefd877319c49e4270ed2a0bf2dc1f088e0b82b09b

SHA512
1431a49c94a70be891f381253aa0890d31704b1c6f31a100eb237ef8fad000dd3bfa93b766f114b52c2b6102f506e543b050535d848590c267852c045121f615

Download Submit
\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
\Users\Admin\AppData\Local\Temp\gjhoodzk.exe

Filesize
6KB

MD5
99c4ee19ed14ecfe341500799563e73c

SHA1
b62740fa946f77c30d38825304f2413a58e1873e

SHA256
c33fc66d40ad598790e2edfe40a8da128bf25566611102b44111d2e329bd12be

SHA512
54ded3e88d766315ea7989078f743d6e0e19fdcebb23eade2a715ef8faedea5270cd689681b8dcbae369aff722cb65073a9d801ec6478482209ed7d30bff8b7e

Download Submit
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing