lokibot | a07a1f8a8068d4134dcfc7e46a0f62a3fbe3ad56be5ceadf83df97be0ac86836

Analysis

max time kernel
102s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2022, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vbc.exe
Size

260KB
MD5

a13470984b61c59cd6afe5dc69e92041
SHA1

db9cda3408fe5b9d37cae35fd92ded1a817b1166
SHA256

a07a1f8a8068d4134dcfc7e46a0f62a3fbe3ad56be5ceadf83df97be0ac86836
SHA512

e42c1d59d63792c76db9252672cd1fc21dde24c11688180c7ee9af1b0f622b5a9bb4edcd168ddc3d6415c9411ae108d6b154ac4e1776ba2855470cc8071db492
SSDEEP

3072:rXC0oW2YkQ0UOqXJbS5rBQ5MRpFjLCzh6xOJg0ATF6c0Kc:DRp22DOqXJleXt2l6MJ2h0

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://192.64.118.167/profile.php?id=PVqNZOLjG5SzLuILHLJs0DhkK41hQhGGc7tbVfvBknb6STRAFB3Gek0Zp2ggkXWw4qIZFeB0CM6vFY6lz91Ou2

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	5008	WerFault.exe	82

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5008	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	vbc.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 816
  2⤵
  - Program crash
  PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5008 -ip 5008
1⤵
PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5008-132-0x0000000002E83000-0x0000000002E99000-memory.dmp

Filesize
88KB

Download
memory/5008-133-0x0000000002DD0000-0x0000000002DEB000-memory.dmp

Filesize
108KB

Download
memory/5008-134-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/5008-135-0x0000000002E83000-0x0000000002E99000-memory.dmp

Filesize
88KB

Download
memory/5008-136-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download