lokibot | 5bd660220c19c632f61015729a2b2d94a062a3f0d84ddd49854407e9a5965449

General

Target

Swift_copy29850372950.exe
Size

147KB
MD5

68efea212241f870e86b9fb2ad495fb5
SHA1

d25600f109fb49d70267c40bb99105f01f92805b
SHA256

5bd660220c19c632f61015729a2b2d94a062a3f0d84ddd49854407e9a5965449
SHA512

e1a988c8aa23c0de4a72e0a3d64c798555dbc7c30902b31abd72aa634d4f4fc906f12a9d1d17d4c600ace0699e65c275205b370e8cc9033577b0fd6bb3d54d26
SSDEEP

3072:WfJSq+ytGIon9KcSM9b5W1PSsJ+Bq303TzmtvMEcVqcorD:MEa0N9b5W1PDjtvME4qLD

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gl20/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

ccfxrxpx.execcfxrxpx.exe

pid process

2040 ccfxrxpx.exe
3376 ccfxrxpx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2040	ccfxrxpx.exe
3376	ccfxrxpx.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ccfxrxpx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ccfxrxpx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ccfxrxpx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ccfxrxpx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ccfxrxpx.exe

description pid process target process

PID 2040 set thread context of 3376 2040 ccfxrxpx.exe ccfxrxpx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ccfxrxpx.exe

pid process

2040 ccfxrxpx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ccfxrxpx.exe

description pid process

Token: SeDebugPrivilege 3376 ccfxrxpx.exe

description	pid	process	target process
PID 2040 set thread context of 3376	2040	ccfxrxpx.exe	ccfxrxpx.exe

pid	process
2040	ccfxrxpx.exe

description	pid	process
Token: SeDebugPrivilege	3376	ccfxrxpx.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Swift_copy29850372950.execcfxrxpx.exe

description	pid	process	target process
PID 396 wrote to memory of 2040	396	Swift_copy29850372950.exe	ccfxrxpx.exe
PID 396 wrote to memory of 2040	396	Swift_copy29850372950.exe	ccfxrxpx.exe
PID 396 wrote to memory of 2040	396	Swift_copy29850372950.exe	ccfxrxpx.exe
PID 2040 wrote to memory of 3376	2040	ccfxrxpx.exe	ccfxrxpx.exe
PID 2040 wrote to memory of 3376	2040	ccfxrxpx.exe	ccfxrxpx.exe
PID 2040 wrote to memory of 3376	2040	ccfxrxpx.exe	ccfxrxpx.exe
PID 2040 wrote to memory of 3376	2040	ccfxrxpx.exe	ccfxrxpx.exe

outlook_office_path 1 IoCs

Processes:

ccfxrxpx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ccfxrxpx.exe

outlook_win_path 1 IoCs

Processes:

ccfxrxpx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ccfxrxpx.exe

C:\Users\Admin\AppData\Local\Temp\Swift_copy29850372950.exe
"C:\Users\Admin\AppData\Local\Temp\Swift_copy29850372950.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe
"C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe" C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzc
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe
"C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe" C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzc
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe
Filesize
30KB

MD5
b9138849cf942ae6c662c60c22d55cb0

SHA1
25bb91046cd7c89862b87723d67be980e2957ce7

SHA256
c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354

SHA512
bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe
Filesize
30KB

MD5
b9138849cf942ae6c662c60c22d55cb0

SHA1
25bb91046cd7c89862b87723d67be980e2957ce7

SHA256
c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354

SHA512
bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccfxrxpx.exe
Filesize
30KB

MD5
b9138849cf942ae6c662c60c22d55cb0

SHA1
25bb91046cd7c89862b87723d67be980e2957ce7

SHA256
c352dd8022d018a4e5a840d02744a8496ea2a09b8838aa941bbd3ea435513354

SHA512
bec5d64159ebed6864c040c2ee951c423112a5d296673812c27a17baca27d308e7a7eec708d5a3b90d27ac2b708b6176f7a60b29d0b9efb061c681a8d7d7c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdvujglpu.q
Filesize
104KB

MD5
0e09a564bc438df10edfdf5c20d39ded

SHA1
36776907f00dc12bfbfb1f55248ce53eacea8fc3

SHA256
13d3e019779df1276c6f4c50390e317742d5683a008e5160d53ee4924d7de27e

SHA512
65d287dc886cd73ea1527182398de176c4492913c531592e9957e6e5e0289b8ba4e4d6ea8a8d14a8ebf223fe6a358f0623de0ef21ac53eb670d21dc665837020

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxjabmvu.xzc
Filesize
5KB

MD5
48ba3b5d665aeef4c58f6ddb23826335

SHA1
25fada10b46e8002b68532fce3782ef91ae0b32a

SHA256
ff0d65d9d7e8b2b8601f8d7a142cecd4d1b3488d101f7d9eef07e286cea18358

SHA512
433461fa51290c4a9dca9f4ac102b01a244de2447e4ca473fab49fe30644a12156df3645659f6b4e0fe2120c9c46084e1a040ad4650a67745be77e00f4d42365

Download Submit
memory/2040-132-0x0000000000000000-mapping.dmp

Download
memory/3376-137-0x0000000000000000-mapping.dmp

Download
memory/3376-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3376-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads