lokibot | 04322d8af3fe7d7ba8c91fd9c076c7b7a71f216859cf6a33cbfda968cfaf6581

General

Target

tmp.exe
Size

217KB
MD5

e6144637781eb593a2809559bb2e4254
SHA1

09854da4d0c6f009f793e46ea0a6aed064c82036
SHA256

04322d8af3fe7d7ba8c91fd9c076c7b7a71f216859cf6a33cbfda968cfaf6581
SHA512

9dd87bf9e044c8369e2ad5fe57c3821385303ddfb505e1b3a1c2c4fce4ce347e9dde92b7fbb72c6e136ea126f96aafd4e1917ebe3c9fdd38df86e82f02952547
SSDEEP

3072:WfJSq+ytGIon9KcSMFHxaj9ifVXG4XW2cIqo/pmcUbV0NIsrriJYdbAaFPxHOjeR:MEa0NFHZ9XG8/48z1dSAPPAJ+3

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://23.239.31.197/?page=344566415468244

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1732	trjgnnskmo.exe
1396	trjgnnskmo.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	tmp.exe
1732	trjgnnskmo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	trjgnnskmo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	trjgnnskmo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	trjgnnskmo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 1396	1732	trjgnnskmo.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1732	trjgnnskmo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	trjgnnskmo.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1732	1196	tmp.exe	27
PID 1196 wrote to memory of 1732	1196	tmp.exe	27
PID 1196 wrote to memory of 1732	1196	tmp.exe	27
PID 1196 wrote to memory of 1732	1196	tmp.exe	27
PID 1732 wrote to memory of 1396	1732	trjgnnskmo.exe	28
PID 1732 wrote to memory of 1396	1732	trjgnnskmo.exe	28
PID 1732 wrote to memory of 1396	1732	trjgnnskmo.exe	28
PID 1732 wrote to memory of 1396	1732	trjgnnskmo.exe	28
PID 1732 wrote to memory of 1396	1732	trjgnnskmo.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	trjgnnskmo.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	trjgnnskmo.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe
  "C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe
    "C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rvotgeavz.tz

Filesize
104KB

MD5
104000ccfa72eecb4592fc0e6b18dc92

SHA1
df7156bc25edd108be1f28ceab85944d7880cb0d

SHA256
5e3ea8d28a692c613360a2f231762ef60dcf8cc5c4a573ff0d7ba76da0a3da57

SHA512
74c048eeeba6097968e94905a87592b834eaeb7956ecf2741dea933cb1de5a8fe093c7beb9fa69e2502578bad19137ca25755d79c9a6d6c3946f4d198aca1263

Download Submit
C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe

Filesize
148KB

MD5
fcea931c271fd2512dfc03fbf082fc45

SHA1
662891a817ebbd41633017d2fa1a36880ef3a4f6

SHA256
bf3fdb0375f79438df70d66ae4952e3dbb32baea1da060272199e5ad2579588e

SHA512
48f40b33e86712d97458a7289f4c87734ce645d7838402572adc2bafb04f991e344e7d3513e25d22e8c54c1d891fbb8d2d4db8207fc0bf3d2b9aaf7d209b2ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe

Filesize
148KB

MD5
fcea931c271fd2512dfc03fbf082fc45

SHA1
662891a817ebbd41633017d2fa1a36880ef3a4f6

SHA256
bf3fdb0375f79438df70d66ae4952e3dbb32baea1da060272199e5ad2579588e

SHA512
48f40b33e86712d97458a7289f4c87734ce645d7838402572adc2bafb04f991e344e7d3513e25d22e8c54c1d891fbb8d2d4db8207fc0bf3d2b9aaf7d209b2ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe

Filesize
148KB

MD5
fcea931c271fd2512dfc03fbf082fc45

SHA1
662891a817ebbd41633017d2fa1a36880ef3a4f6

SHA256
bf3fdb0375f79438df70d66ae4952e3dbb32baea1da060272199e5ad2579588e

SHA512
48f40b33e86712d97458a7289f4c87734ce645d7838402572adc2bafb04f991e344e7d3513e25d22e8c54c1d891fbb8d2d4db8207fc0bf3d2b9aaf7d209b2ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjaieyynnta.qo

Filesize
5KB

MD5
47739294e0a9299b587b4ffb23f83c2e

SHA1
95ca2bff3caebabcbe30e31eb26403f82930eb26

SHA256
4a39a07c6ec3980e0f4bafff8190358adacec40d97c1d5999d722e4cfa958d50

SHA512
e6ce1d602322ae3555b8f0cf5ef742b723acd84d6d9da40b5b1bb0672217a15d4dd06469822be827daf61ba9897e27a33fb8777f2d6a09cd471f04bb3cae075e

Download Submit
\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe

Filesize
148KB

MD5
fcea931c271fd2512dfc03fbf082fc45

SHA1
662891a817ebbd41633017d2fa1a36880ef3a4f6

SHA256
bf3fdb0375f79438df70d66ae4952e3dbb32baea1da060272199e5ad2579588e

SHA512
48f40b33e86712d97458a7289f4c87734ce645d7838402572adc2bafb04f991e344e7d3513e25d22e8c54c1d891fbb8d2d4db8207fc0bf3d2b9aaf7d209b2ca0

Download Submit
\Users\Admin\AppData\Local\Temp\trjgnnskmo.exe

Filesize
148KB

MD5
fcea931c271fd2512dfc03fbf082fc45

SHA1
662891a817ebbd41633017d2fa1a36880ef3a4f6

SHA256
bf3fdb0375f79438df70d66ae4952e3dbb32baea1da060272199e5ad2579588e

SHA512
48f40b33e86712d97458a7289f4c87734ce645d7838402572adc2bafb04f991e344e7d3513e25d22e8c54c1d891fbb8d2d4db8207fc0bf3d2b9aaf7d209b2ca0

Download Submit
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1396-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1396-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing