lokibot | 57e9ce8a8b2ed57e367fe58657005e73fd3bd1d13ad7de0a70b9bd46656737f8

General

Target

8467858258ab1ff22bde09e3405c02e7.exe
Size

123KB
MD5

8467858258ab1ff22bde09e3405c02e7
SHA1

192e5b740b9844d8586f31993fdabe8f5186e159
SHA256

57e9ce8a8b2ed57e367fe58657005e73fd3bd1d13ad7de0a70b9bd46656737f8
SHA512

74694d063ba37211cfbfc01b70f24a3e8b52de4a4adfb053e1c917800a8533634497e6994ab3eb5cdc3dd224c71750bcad4bb54f6f6d17cf92259c6820dcdbe0
SSDEEP

3072:qUJoFfWzzl+cSMCDuMlDnEprVQwxI39hArLDTXPe22gQHvzs2:qweEpHMlEbQwx0h8TXYvs2

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gl6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
896	bhzvlpefnf.exe
608	bhzvlpefnf.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	8467858258ab1ff22bde09e3405c02e7.exe
896	bhzvlpefnf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	bhzvlpefnf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bhzvlpefnf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bhzvlpefnf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 896 set thread context of 608	896	bhzvlpefnf.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
896	bhzvlpefnf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	608	bhzvlpefnf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 896	1196	8467858258ab1ff22bde09e3405c02e7.exe	27
PID 1196 wrote to memory of 896	1196	8467858258ab1ff22bde09e3405c02e7.exe	27
PID 1196 wrote to memory of 896	1196	8467858258ab1ff22bde09e3405c02e7.exe	27
PID 1196 wrote to memory of 896	1196	8467858258ab1ff22bde09e3405c02e7.exe	27
PID 896 wrote to memory of 608	896	bhzvlpefnf.exe	29
PID 896 wrote to memory of 608	896	bhzvlpefnf.exe	29
PID 896 wrote to memory of 608	896	bhzvlpefnf.exe	29
PID 896 wrote to memory of 608	896	bhzvlpefnf.exe	29
PID 896 wrote to memory of 608	896	bhzvlpefnf.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bhzvlpefnf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bhzvlpefnf.exe

C:\Users\Admin\AppData\Local\Temp\8467858258ab1ff22bde09e3405c02e7.exe
"C:\Users\Admin\AppData\Local\Temp\8467858258ab1ff22bde09e3405c02e7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe
  "C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe
    "C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe

Filesize
5KB

MD5
f7ee3ebe02259fedf4c548c3654dd4f7

SHA1
ed807bf7b3fd22ca19a4017d9eb1d9ed8b8db15f

SHA256
9ed31de9d3d14e25184c481162f60f7b9e138afe687b40bdea23b06f1120e1d6

SHA512
c0aa0b78ca05fd857ee857ab3addfb0007613df77df305c9cfcec9563e0031a1d76616084e263b9652763f4887a610f2aed7bb85db6ed48db5cbd020f9b62f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe

Filesize
5KB

MD5
f7ee3ebe02259fedf4c548c3654dd4f7

SHA1
ed807bf7b3fd22ca19a4017d9eb1d9ed8b8db15f

SHA256
9ed31de9d3d14e25184c481162f60f7b9e138afe687b40bdea23b06f1120e1d6

SHA512
c0aa0b78ca05fd857ee857ab3addfb0007613df77df305c9cfcec9563e0031a1d76616084e263b9652763f4887a610f2aed7bb85db6ed48db5cbd020f9b62f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe

Filesize
5KB

MD5
f7ee3ebe02259fedf4c548c3654dd4f7

SHA1
ed807bf7b3fd22ca19a4017d9eb1d9ed8b8db15f

SHA256
9ed31de9d3d14e25184c481162f60f7b9e138afe687b40bdea23b06f1120e1d6

SHA512
c0aa0b78ca05fd857ee857ab3addfb0007613df77df305c9cfcec9563e0031a1d76616084e263b9652763f4887a610f2aed7bb85db6ed48db5cbd020f9b62f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecgcwzw.kz

Filesize
104KB

MD5
9196930689456678122db5acdb73e0a5

SHA1
0291de2bdf509af61cb4c2a6120eaa66fd4ebfd3

SHA256
205a7dadd2d38777120adabe193650dfc59ae879c4bf865632f83672a814b168

SHA512
98ed8f7ebadc03f2443377308064d240723d827f22b3b02466e7f2adc3649e512fd9e4ec69881d5e2140a334cf0672c6f382f44c896832dd1f48da778dcd9c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpgquruzxz.ffg

Filesize
5KB

MD5
da19384f536917639284d4a2285ee4e0

SHA1
b90cd5ba8d18b5cff39547a8c8ba8975f78dfe72

SHA256
9b450696e3859cc4d9153fec5f40d6fe43f737508cbf116b549228b88e5ba878

SHA512
598d6422a7609a58d006ee09904cffd976b209029f0bfb84d53535d8d0a41039e9061637db641eb3713106d30dadacfaa378a33a439b478593294ed8b4a987d0

Download Submit
\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe

Filesize
5KB

MD5
f7ee3ebe02259fedf4c548c3654dd4f7

SHA1
ed807bf7b3fd22ca19a4017d9eb1d9ed8b8db15f

SHA256
9ed31de9d3d14e25184c481162f60f7b9e138afe687b40bdea23b06f1120e1d6

SHA512
c0aa0b78ca05fd857ee857ab3addfb0007613df77df305c9cfcec9563e0031a1d76616084e263b9652763f4887a610f2aed7bb85db6ed48db5cbd020f9b62f97

Download Submit
\Users\Admin\AppData\Local\Temp\bhzvlpefnf.exe

Filesize
5KB

MD5
f7ee3ebe02259fedf4c548c3654dd4f7

SHA1
ed807bf7b3fd22ca19a4017d9eb1d9ed8b8db15f

SHA256
9ed31de9d3d14e25184c481162f60f7b9e138afe687b40bdea23b06f1120e1d6

SHA512
c0aa0b78ca05fd857ee857ab3addfb0007613df77df305c9cfcec9563e0031a1d76616084e263b9652763f4887a610f2aed7bb85db6ed48db5cbd020f9b62f97

Download Submit
memory/608-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/608-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing