lokibot | ecb00bb8fd9f9fb3de654096a3590e73ac39793e1c8dd3e30d8e859b91c257d8

General

Target

cf39830b73897e3588e5b592ec2ff732.exe
Size

134KB
MD5

cf39830b73897e3588e5b592ec2ff732
SHA1

bce1d08085a637a8347f878261d62218841ad573
SHA256

ecb00bb8fd9f9fb3de654096a3590e73ac39793e1c8dd3e30d8e859b91c257d8
SHA512

ecf7c180f993287a442b0123472af9916dc3eceadf3a78ced43f40165dbafcf5b2af33742d7968cb852c5924d68001d755abca5868d0bbb9c70548825cbec8b8
SSDEEP

3072:WfJSq+ytGIon9KcSMg3tK+fkoBysc4pCFNu7stsmSM55LPVhPQ6e3Gn5h6sZFJ:MEa0NWtDs+ckCFNud8ZFz9msh

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.161/durtch/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1056	ooqbflgvzy.exe
828	ooqbflgvzy.exe

Loads dropped DLL 2 IoCs

pid	Process
1676	cf39830b73897e3588e5b592ec2ff732.exe
1056	ooqbflgvzy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ooqbflgvzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ooqbflgvzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ooqbflgvzy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 828	1056	ooqbflgvzy.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1056	ooqbflgvzy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	ooqbflgvzy.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1056	1676	cf39830b73897e3588e5b592ec2ff732.exe	28
PID 1676 wrote to memory of 1056	1676	cf39830b73897e3588e5b592ec2ff732.exe	28
PID 1676 wrote to memory of 1056	1676	cf39830b73897e3588e5b592ec2ff732.exe	28
PID 1676 wrote to memory of 1056	1676	cf39830b73897e3588e5b592ec2ff732.exe	28
PID 1056 wrote to memory of 828	1056	ooqbflgvzy.exe	30
PID 1056 wrote to memory of 828	1056	ooqbflgvzy.exe	30
PID 1056 wrote to memory of 828	1056	ooqbflgvzy.exe	30
PID 1056 wrote to memory of 828	1056	ooqbflgvzy.exe	30
PID 1056 wrote to memory of 828	1056	ooqbflgvzy.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ooqbflgvzy.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ooqbflgvzy.exe

C:\Users\Admin\AppData\Local\Temp\cf39830b73897e3588e5b592ec2ff732.exe
"C:\Users\Admin\AppData\Local\Temp\cf39830b73897e3588e5b592ec2ff732.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe
  "C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe" C:\Users\Admin\AppData\Local\Temp\sledw.fv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe
    "C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe" C:\Users\Admin\AppData\Local\Temp\sledw.fv
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eagwgro.s

Filesize
104KB

MD5
c2af880a15cf0da6bc534359dab292d6

SHA1
720a868febe11cae1b81cad2989b5b0d11d10994

SHA256
75d855b2fc40e97ee4f79cb2efceff9049dd3ca1d7d920116e58255440af4902

SHA512
bab50c795772197e5e5ec8c76baf21055b09475d1aad3e8435c145d22024fa9e629423a3cd42ed3f8bc4c0640b59591f27e276d0378b5bc2776b072b2dfaa2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe

Filesize
7KB

MD5
fac9cd0ec9f30aa7774cbf9eb973d069

SHA1
8be4d9ab872fe29359ef47893ade2fb3b682728e

SHA256
595ef4ceb38b951eb7c82d9d1ab3f11e00538ffe24b1ffdadab7d13f5dfac03a

SHA512
5f783a0ffc9ea71af76e8a09159129f9f7a23dc462aac28f317de4ca43c53f7da7ad80adea1177c2ad1ae9d5358ad466d9857bb174c00861addc12cc1f3ad1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe

Filesize
7KB

MD5
fac9cd0ec9f30aa7774cbf9eb973d069

SHA1
8be4d9ab872fe29359ef47893ade2fb3b682728e

SHA256
595ef4ceb38b951eb7c82d9d1ab3f11e00538ffe24b1ffdadab7d13f5dfac03a

SHA512
5f783a0ffc9ea71af76e8a09159129f9f7a23dc462aac28f317de4ca43c53f7da7ad80adea1177c2ad1ae9d5358ad466d9857bb174c00861addc12cc1f3ad1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe

Filesize
7KB

MD5
fac9cd0ec9f30aa7774cbf9eb973d069

SHA1
8be4d9ab872fe29359ef47893ade2fb3b682728e

SHA256
595ef4ceb38b951eb7c82d9d1ab3f11e00538ffe24b1ffdadab7d13f5dfac03a

SHA512
5f783a0ffc9ea71af76e8a09159129f9f7a23dc462aac28f317de4ca43c53f7da7ad80adea1177c2ad1ae9d5358ad466d9857bb174c00861addc12cc1f3ad1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sledw.fv

Filesize
5KB

MD5
41085a3d0351a2de265fc6b159589460

SHA1
f592113596365af1941da9977887f060c93bc148

SHA256
547e9112105ef201e4befbbef52da0b67c3c074d84e93296f762dd01b225ff7d

SHA512
edc7606fb32caf9baf425962404a9c5f91cb64d21c2a13eb9935c07518e84f4bf3615885512909523bfbcd93d9d448e8857eb5dab7cd83ea63274baa6e25bfe0

Download Submit
\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe

Filesize
7KB

MD5
fac9cd0ec9f30aa7774cbf9eb973d069

SHA1
8be4d9ab872fe29359ef47893ade2fb3b682728e

SHA256
595ef4ceb38b951eb7c82d9d1ab3f11e00538ffe24b1ffdadab7d13f5dfac03a

SHA512
5f783a0ffc9ea71af76e8a09159129f9f7a23dc462aac28f317de4ca43c53f7da7ad80adea1177c2ad1ae9d5358ad466d9857bb174c00861addc12cc1f3ad1fb

Download Submit
\Users\Admin\AppData\Local\Temp\ooqbflgvzy.exe

Filesize
7KB

MD5
fac9cd0ec9f30aa7774cbf9eb973d069

SHA1
8be4d9ab872fe29359ef47893ade2fb3b682728e

SHA256
595ef4ceb38b951eb7c82d9d1ab3f11e00538ffe24b1ffdadab7d13f5dfac03a

SHA512
5f783a0ffc9ea71af76e8a09159129f9f7a23dc462aac28f317de4ca43c53f7da7ad80adea1177c2ad1ae9d5358ad466d9857bb174c00861addc12cc1f3ad1fb

Download Submit
memory/828-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/828-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1676-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing