lokibot | b8d864b09ba66e1cff809b9700c8ef000b2d4ccbaba47c5da69bb7cf44a28795

General

Target

Swift Copy.exe
Size

182KB
MD5

50d9d10506adb6700bb3e0df6d17a5be
SHA1

e11b8c33ea7fa0618fbca8ef6828c2081835e944
SHA256

b8d864b09ba66e1cff809b9700c8ef000b2d4ccbaba47c5da69bb7cf44a28795
SHA512

07a2e25c29ec2c6f1f3f9e51780c0db622e69cd9a56e437c23a5258425b71da7207698f07b9310f9e1ad5fb27a2628d14bd60903bdb81c8db8c6e09a89464593
SSDEEP

3072:qUJoFfWzzl+cSMGGKeoyShiKF9nc+PAukezQLVqM+ZPjZag0dWvsqDbKAnrE7t6D:qweEpGaobF9nBAukeELV50lagLvn+Ao+

Score

10^/10

lokibot collection persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.161/starmoney/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
4792	hhzmndsd.exe
2296	hhzmndsd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hhzmndsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hhzmndsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hhzmndsd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vcngt = "C:\\Users\\Admin\\AppData\\Roaming\\gtwttag\\elwdkipqnwjb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hhzmndsd.exe\""	hhzmndsd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4792 set thread context of 2296	4792	hhzmndsd.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4792	hhzmndsd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	hhzmndsd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4792	4932	Swift Copy.exe	81
PID 4932 wrote to memory of 4792	4932	Swift Copy.exe	81
PID 4932 wrote to memory of 4792	4932	Swift Copy.exe	81
PID 4792 wrote to memory of 2296	4792	hhzmndsd.exe	82
PID 4792 wrote to memory of 2296	4792	hhzmndsd.exe	82
PID 4792 wrote to memory of 2296	4792	hhzmndsd.exe	82
PID 4792 wrote to memory of 2296	4792	hhzmndsd.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hhzmndsd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hhzmndsd.exe

C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe
  "C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe
    "C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fsmwbqp.cq

Filesize
7KB

MD5
8ffb34415603b7701d1255aabc424f8b

SHA1
5df1913aa498bded0844e0b96048817b81fba961

SHA256
955e31fa8cd7629838d169bef623b039aebc04b31f4511fd98177e9aa94bf372

SHA512
b70ef7719acae9840afceee4348668a85ece32cf0f5658176b3d064409a5920c535fc295f86ba400ad8157ef9e461443bc972b12f559397caaee307ad637aaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe

Filesize
123KB

MD5
b52aa2082a478485c2d622670682b410

SHA1
095245da10bef08ebb89240fe5cac33f5e88a128

SHA256
d800d4209b71bdd4bb0012cd26137ff33afaff131bd8cb9b5a40d20f6ffbd614

SHA512
01846e9caad035ba2332f8c14cf9ab7c928b0d61c2c536d66e1860a2bbbc44ba5b54180f9ad1bef9ff9e6bd6c4f60aa01b4781c50c9acc19407598e62cbad9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe

Filesize
123KB

MD5
b52aa2082a478485c2d622670682b410

SHA1
095245da10bef08ebb89240fe5cac33f5e88a128

SHA256
d800d4209b71bdd4bb0012cd26137ff33afaff131bd8cb9b5a40d20f6ffbd614

SHA512
01846e9caad035ba2332f8c14cf9ab7c928b0d61c2c536d66e1860a2bbbc44ba5b54180f9ad1bef9ff9e6bd6c4f60aa01b4781c50c9acc19407598e62cbad9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhzmndsd.exe

Filesize
123KB

MD5
b52aa2082a478485c2d622670682b410

SHA1
095245da10bef08ebb89240fe5cac33f5e88a128

SHA256
d800d4209b71bdd4bb0012cd26137ff33afaff131bd8cb9b5a40d20f6ffbd614

SHA512
01846e9caad035ba2332f8c14cf9ab7c928b0d61c2c536d66e1860a2bbbc44ba5b54180f9ad1bef9ff9e6bd6c4f60aa01b4781c50c9acc19407598e62cbad9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzyuguvqkd.gyb

Filesize
104KB

MD5
b3e5532606fc42f3806fea84e128d67b

SHA1
a3e5d1bb936b3530b1e8985b167aaa8fbe4d9282

SHA256
a56e882aaabac9d963addc4c615787aeed958c61846b80892a6fea454c1dd401

SHA512
287c917ce0fe0ce29184c2c600cdb2d96ec4bc55f9620b3617c80594b618f54cdbcfa544f32dfbee34410491b9b544a67c9f70327a6cad3cb1ba97abf968b470

Download Submit
memory/2296-137-0x0000000000000000-mapping.dmp

Download
memory/2296-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2296-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing