lokibot | 89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0

General

Target

89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe
Size

185KB
MD5

de2e9c0c0ad246abb9bd5b6b2e16a46e
SHA1

a60d234e5f43235b52c90b613de869baeda38403
SHA256

89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0
SHA512

1ae208959114677fc8ff07205204408adac996964f63b476b49d3b29054a88551f7d878a3e73158ceae83e9a5385f949f158a6bec1437a223427d01c9fd21ef8
SSDEEP

3072:l1NjcVVnLpPunbpKxmuQC0Ao1X/JQdxSwihRSL/iQW5iuUllDPUKJioJWidIKWP8:HNeZmpG+C0AoYswihRXQt/D8K4oJdJrh

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 1 IoCs

pid	Process
2836	uywruf.exe

Loads dropped DLL 1 IoCs

pid	Process
3636	uywruf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uywruf.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	uywruf.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uywruf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 3636	2836	uywruf.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4656	2836	WerFault.exe	82

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	uywruf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 2836	360	89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe	82
PID 360 wrote to memory of 2836	360	89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe	82
PID 360 wrote to memory of 2836	360	89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe	82
PID 2836 wrote to memory of 3636	2836	uywruf.exe	83
PID 2836 wrote to memory of 3636	2836	uywruf.exe	83
PID 2836 wrote to memory of 3636	2836	uywruf.exe	83
PID 2836 wrote to memory of 3636	2836	uywruf.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uywruf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uywruf.exe

C:\Users\Admin\AppData\Local\Temp\89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe
"C:\Users\Admin\AppData\Local\Temp\89ee2ebc50c865b5d9b1f35b74f5c051ecc5ac3b8c233c0c5c8a7b1072237bb0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\uywruf.exe
  "C:\Users\Admin\AppData\Local\Temp\uywruf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\uywruf.exe
    "C:\Users\Admin\AppData\Local\Temp\uywruf.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 568
    3⤵
    - Program crash
    PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2836 -ip 2836
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gvnrm.m

Filesize
104KB

MD5
ead8a40c1703b3b67a364a09e8d958b4

SHA1
891c2cd1a6aa34bd17ca817f8231490771345abe

SHA256
2727644356b52cc2251bb9e9131458c61beb99ef64ba2dc8897836ab4de4c616

SHA512
bd2c4200ac1c0643dfd5d4f1cb1ee07d32031f706bc8154dc22c48d1f482fa99e4b10e5db844be784fc6b7dde83c6516714c71da2302068deb3edaf89ff7ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaxlca.r

Filesize
4KB

MD5
c852269532ee9836cfa90f1f9e2962a7

SHA1
d21ae856ca1c4973cfc6737fb8085335d64dd479

SHA256
ce02f5a5d907f8d9264189e1260e3d7007ccc4c6907ed7c4a687ed0f33c0f0a3

SHA512
1d89f56bf6c723586f3bf2219c27df52e6979243ed9a5edea34a1ad3d442f7578e2858b8ea01c3ecec318c3f2abad0cdc42d907c805d19f9312366e7ee093ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uywruf.exe

Filesize
125KB

MD5
649b306084bd30753004869547db7613

SHA1
a2e56b86ca47ce6bd736fabe89bae8803dab891e

SHA256
8ed149670fae105098f01f08c94ff6289845b3d882b82e7e9dde9a6b51775f7b

SHA512
b1a2c78850dd08d9042a7c0a4a3dbe409a6c67cc3837e7a4dcd78abcde90c22de759084459d4e3969070e2d4fbb517de67163e9864f46fa08e7d64b9d28c9713

Download Submit
C:\Users\Admin\AppData\Local\Temp\uywruf.exe

Filesize
125KB

MD5
649b306084bd30753004869547db7613

SHA1
a2e56b86ca47ce6bd736fabe89bae8803dab891e

SHA256
8ed149670fae105098f01f08c94ff6289845b3d882b82e7e9dde9a6b51775f7b

SHA512
b1a2c78850dd08d9042a7c0a4a3dbe409a6c67cc3837e7a4dcd78abcde90c22de759084459d4e3969070e2d4fbb517de67163e9864f46fa08e7d64b9d28c9713

Download Submit
C:\Users\Admin\AppData\Local\Temp\uywruf.exe

Filesize
125KB

MD5
649b306084bd30753004869547db7613

SHA1
a2e56b86ca47ce6bd736fabe89bae8803dab891e

SHA256
8ed149670fae105098f01f08c94ff6289845b3d882b82e7e9dde9a6b51775f7b

SHA512
b1a2c78850dd08d9042a7c0a4a3dbe409a6c67cc3837e7a4dcd78abcde90c22de759084459d4e3969070e2d4fbb517de67163e9864f46fa08e7d64b9d28c9713

Download Submit

Analysis

Sharing