lokibot | 0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a

Analysis

max time kernel
143s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
10-11-2022 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe
Size

174KB
MD5

9bdd98699b762b74ca46e1b3e5f7ace8
SHA1

d7c6821d9d06186ef3246f151ff35dc6a7208600
SHA256

0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a
SHA512

5a26a69c739cf9f44a7497b3ef41b8988238c33433f8c4979b3eed63a45fa8f114be911a31bd35faa5c56e2ca480cdb300c9fb06eebce15c842666a161de4241
SSDEEP

3072:WfJSq+ytGIon9KcSMf/RQD0bZfV6UPNdDQmalxVpijteSHRfsjVdNHEh1DbzsF9z:MEa0NfZmdU1dDZO3UjteS5id41DbAZh

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://sempersim.su/gl6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 3 IoCs

pid	Process
4544	psoethuk.exe
1932	psoethuk.exe
2328	psoethuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	psoethuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	psoethuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	psoethuk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 2328	4544	psoethuk.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4544	psoethuk.exe
4544	psoethuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	psoethuk.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4544	2664	0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe	66
PID 2664 wrote to memory of 4544	2664	0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe	66
PID 2664 wrote to memory of 4544	2664	0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe	66
PID 4544 wrote to memory of 1932	4544	psoethuk.exe	67
PID 4544 wrote to memory of 1932	4544	psoethuk.exe	67
PID 4544 wrote to memory of 1932	4544	psoethuk.exe	67
PID 4544 wrote to memory of 2328	4544	psoethuk.exe	68
PID 4544 wrote to memory of 2328	4544	psoethuk.exe	68
PID 4544 wrote to memory of 2328	4544	psoethuk.exe	68
PID 4544 wrote to memory of 2328	4544	psoethuk.exe	68

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	psoethuk.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	psoethuk.exe

C:\Users\Admin\AppData\Local\Temp\0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe
"C:\Users\Admin\AppData\Local\Temp\0f5bef2f38014785cab2782e9dc0dfc0841293ba4f230d19cdc8046f251ea84a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\psoethuk.exe
  "C:\Users\Admin\AppData\Local\Temp\psoethuk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\psoethuk.exe
    "C:\Users\Admin\AppData\Local\Temp\psoethuk.exe"
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\psoethuk.exe
    "C:\Users\Admin\AppData\Local\Temp\psoethuk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbhvnx.vg

Filesize
104KB

MD5
1fb44822559fbb037d55aa297e06489f

SHA1
33fc0be7791a8df5320fbeccfed17d6e4d92bf00

SHA256
ab3651b1c32f571a8f59e42f27c9f92528e5c46dd989db707b7ad93ed987f42c

SHA512
b4b759a92ee5d635b4526eb8086c84c9e827a81e31ae7410a81223d6bbaf4041f11eb8f88596173b459fa654602f3b50bd481a3dba0aa9fba2cd3858df9b1db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\koohryz.ol

Filesize
5KB

MD5
5c21e99d6d25b4e81cf7ab7d423ff1e3

SHA1
0b0ea9329a25cec6fbb6754249fb1e69a7e22f81

SHA256
e97993851b366b1a9458becd02e7bc927e30d2f97f6afe93113d21eef496cfde

SHA512
41bcc261061697f714f7da3c3882f8b7f46e6b2164f916294fed2ba6c6e867fd728c6cee544aa5f396de6a43bc8f64969fbd5ebd4b5a94093d42bd6175015e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\psoethuk.exe

Filesize
73KB

MD5
d19b044293f6ef50cfaebb95fbedf6fb

SHA1
7f12f522f7b2769b40bbce0c21fe770bab1f628c

SHA256
1fd9c6cdf7a54730b54a31e82d7fabd4d999a57704b27385780367a568081be6

SHA512
23639ec44b61378e5d22a23db76c0f894559c2f87a05b9062e440cfa226e8d335c0e861d0c6f7f3170f68de4d992028a42a6cf3c74bd931fed404221cf531062

Download Submit
C:\Users\Admin\AppData\Local\Temp\psoethuk.exe

Filesize
73KB

MD5
d19b044293f6ef50cfaebb95fbedf6fb

SHA1
7f12f522f7b2769b40bbce0c21fe770bab1f628c

SHA256
1fd9c6cdf7a54730b54a31e82d7fabd4d999a57704b27385780367a568081be6

SHA512
23639ec44b61378e5d22a23db76c0f894559c2f87a05b9062e440cfa226e8d335c0e861d0c6f7f3170f68de4d992028a42a6cf3c74bd931fed404221cf531062

Download Submit
C:\Users\Admin\AppData\Local\Temp\psoethuk.exe

Filesize
73KB

MD5
d19b044293f6ef50cfaebb95fbedf6fb

SHA1
7f12f522f7b2769b40bbce0c21fe770bab1f628c

SHA256
1fd9c6cdf7a54730b54a31e82d7fabd4d999a57704b27385780367a568081be6

SHA512
23639ec44b61378e5d22a23db76c0f894559c2f87a05b9062e440cfa226e8d335c0e861d0c6f7f3170f68de4d992028a42a6cf3c74bd931fed404221cf531062

Download Submit
C:\Users\Admin\AppData\Local\Temp\psoethuk.exe

Filesize
73KB

MD5
d19b044293f6ef50cfaebb95fbedf6fb

SHA1
7f12f522f7b2769b40bbce0c21fe770bab1f628c

SHA256
1fd9c6cdf7a54730b54a31e82d7fabd4d999a57704b27385780367a568081be6

SHA512
23639ec44b61378e5d22a23db76c0f894559c2f87a05b9062e440cfa226e8d335c0e861d0c6f7f3170f68de4d992028a42a6cf3c74bd931fed404221cf531062

Download Submit
memory/2328-250-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2328-234-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2664-151-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-157-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-126-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-127-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-128-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-130-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-129-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-131-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-132-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-133-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-134-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-135-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-136-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-137-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-138-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-139-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-140-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-141-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-142-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-143-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-144-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-145-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-146-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-147-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-148-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-149-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-150-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-124-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-152-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-153-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-154-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-155-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-156-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-125-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-158-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-159-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-160-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-120-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-121-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-122-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-123-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-179-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-184-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-168-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-170-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-171-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-173-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-174-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-175-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-176-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-172-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-186-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-167-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-181-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-180-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-166-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-182-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-183-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-165-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-164-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-163-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-178-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-185-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-177-0x0000000077730000-0x00000000778BE000-memory.dmp

Filesize
1.6MB

Download