lokibot | 5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af

General

Target

REMITTANCE SLIP ADVISE_pdf.exe
Size

209KB
MD5

1be9bac6394ecf58c82ff9cfdb17beb7
SHA1

586d42863e3866230a13c2d753e94aa5991f665e
SHA256

5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af
SHA512

e5645dde55795a16287eab52c0ad45adefa9c2ec91d40ce49b486f7e9baaab52dd29d6170e381c4cc917adac1db8da27bf8fc81a8b58fcad7c8bcb33fd43ec2c
SSDEEP

6144:mbE/HUbt040+3ZQ7qazA4V8rPYqFzak0BqrUe:mb/tiiIqa89P3FqsX

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
4764	hcpyulw.exe
368	hcpyulw.exe

Loads dropped DLL 1 IoCs

pid	Process
3632	hcpyulw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hcpyulw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hcpyulw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hcpyulw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 3632	4764	hcpyulw.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3492	4764	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	hcpyulw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4764	4148	REMITTANCE SLIP ADVISE_pdf.exe	81
PID 4148 wrote to memory of 4764	4148	REMITTANCE SLIP ADVISE_pdf.exe	81
PID 4148 wrote to memory of 4764	4148	REMITTANCE SLIP ADVISE_pdf.exe	81
PID 4764 wrote to memory of 368	4764	hcpyulw.exe	83
PID 4764 wrote to memory of 368	4764	hcpyulw.exe	83
PID 4764 wrote to memory of 368	4764	hcpyulw.exe	83
PID 4764 wrote to memory of 3632	4764	hcpyulw.exe	84
PID 4764 wrote to memory of 3632	4764	hcpyulw.exe	84
PID 4764 wrote to memory of 3632	4764	hcpyulw.exe	84
PID 4764 wrote to memory of 3632	4764	hcpyulw.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hcpyulw.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hcpyulw.exe

C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
  "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
    "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
    3⤵
    - Executes dropped EXE
    PID:368
- - C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
    "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 660
    3⤵
    - Program crash
    PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4764 -ip 4764
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

Filesize
133KB

MD5
4f55952b6403887ac5f6892b87e7d704

SHA1
b9a2cb36197806c79c1c62aa610b4b010e20d104

SHA256
38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

SHA512
d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

Filesize
133KB

MD5
4f55952b6403887ac5f6892b87e7d704

SHA1
b9a2cb36197806c79c1c62aa610b4b010e20d104

SHA256
38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

SHA512
d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

Filesize
133KB

MD5
4f55952b6403887ac5f6892b87e7d704

SHA1
b9a2cb36197806c79c1c62aa610b4b010e20d104

SHA256
38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

SHA512
d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

Filesize
133KB

MD5
4f55952b6403887ac5f6892b87e7d704

SHA1
b9a2cb36197806c79c1c62aa610b4b010e20d104

SHA256
38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

SHA512
d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndfpbbxx.i

Filesize
104KB

MD5
d1c8d9bf46a1165e80e3b59635bf2884

SHA1
f704bc41a4930a4859420423f404cac43de8e527

SHA256
59d386110a90dd8fc51c3a602c5624b2456b6f2fdf371fac8540c2dba62f4d23

SHA512
b9db300d11b5472791585e4bece00ab1477b0a9a8454674f62c7ea9afe0be691f3c50e6a642ae44ea5f8cc7cf004997e7428e6d1ac865051c1b4f2d6a61aa36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwngs.f

Filesize
4KB

MD5
cd49ab3b45660b0472efda650f1c3480

SHA1
b5686c548f951ed51dd20f0454e75720fb4c6f05

SHA256
fd5997ddb1a6b2bea0ddde2b531a5e1c76f8300c475ee2cbe95c89e576fb2161

SHA512
d7e82adab1334b6553bd30a79d0750581d5c5d8a07e1fee3cb0624a44b9837687c8e7a9a24d667c9ac51a7ff1d02c8a13bc95f5749eaadea8b22dde347707731

Download Submit

Analysis

Sharing