lokibot | 408df2ad8c4ca7daca906870171422b9cef7d7416a5e7fbc67990cd04d5e91b2

Analysis

max time kernel
129s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a0c373241cad8aa84c9018b7f50f660.exe
Size

747KB
MD5

4a0c373241cad8aa84c9018b7f50f660
SHA1

fc5713001d2cde484e59ae988fb66b2409c235e8
SHA256

408df2ad8c4ca7daca906870171422b9cef7d7416a5e7fbc67990cd04d5e91b2
SHA512

122709f73eee1855c5abf9992e8790eba321650044883eb013916d37e6ebc37cf87e50f09b8983f003672a156180f5d2d8df5d3f95a1b0a3ba43119eb0a067de
SSDEEP

12288:qFZFKDir+IVP6RAliAJWCJw98Nnma71tOEuXmUKXc1aCosDifYub26:qOk+IpcvCq2cUtLlqaCoZfYuB

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://208.67.105.161/donstan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4a0c373241cad8aa84c9018b7f50f660.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	4a0c373241cad8aa84c9018b7f50f660.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	4a0c373241cad8aa84c9018b7f50f660.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4680	4a0c373241cad8aa84c9018b7f50f660.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	4a0c373241cad8aa84c9018b7f50f660.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91
PID 3140 wrote to memory of 4680	3140	4a0c373241cad8aa84c9018b7f50f660.exe	91

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	4a0c373241cad8aa84c9018b7f50f660.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4a0c373241cad8aa84c9018b7f50f660.exe

C:\Users\Admin\AppData\Local\Temp\4a0c373241cad8aa84c9018b7f50f660.exe
"C:\Users\Admin\AppData\Local\Temp\4a0c373241cad8aa84c9018b7f50f660.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\4a0c373241cad8aa84c9018b7f50f660.exe
  "C:\Users\Admin\AppData\Local\Temp\4a0c373241cad8aa84c9018b7f50f660.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-132-0x0000000000580000-0x0000000000640000-memory.dmp

Filesize
768KB

Download
memory/3140-133-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/3140-134-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/3140-135-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/3140-136-0x0000000008A60000-0x0000000008AFC000-memory.dmp

Filesize
624KB

Download
memory/4680-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4680-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4680-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4680-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download