lokibot | e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe

Analysis

max time kernel
140s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe
Size

236KB
MD5

9632628f4b25e22bf57a5fb1010daf4e
SHA1

339706d04fbc6c4a0e3cad9c8a12d7b88a8a0dcb
SHA256

e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe
SHA512

7411d58528caa6576a5f6433306d9d44c83e3bc8b2ac565a5b0db16d5097d3c8b7f574ce1247aa04f4b33ab97b611b7ce2e74866fb082c77c7c4e84b9752af66
SSDEEP

6144:QBn1PO9HgFIUgwXVH/7/Gf5emejH+PgDSD9LV9Gj4WhwW:gPOhCXVf7/GJnPFDosW

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://sempersim.su/gm13/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

rvtzlpyrgs.exervtzlpyrgs.exe

pid process

2132 rvtzlpyrgs.exe
2320 rvtzlpyrgs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2132	rvtzlpyrgs.exe
2320	rvtzlpyrgs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rvtzlpyrgs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rvtzlpyrgs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rvtzlpyrgs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rvtzlpyrgs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rvtzlpyrgs.exe

description pid process target process

PID 2132 set thread context of 2320 2132 rvtzlpyrgs.exe rvtzlpyrgs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rvtzlpyrgs.exe

pid process

2132 rvtzlpyrgs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rvtzlpyrgs.exe

description pid process

Token: SeDebugPrivilege 2320 rvtzlpyrgs.exe

description	pid	process	target process
PID 2132 set thread context of 2320	2132	rvtzlpyrgs.exe	rvtzlpyrgs.exe

pid	process
2132	rvtzlpyrgs.exe

description	pid	process
Token: SeDebugPrivilege	2320	rvtzlpyrgs.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exervtzlpyrgs.exe

description	pid	process	target process
PID 388 wrote to memory of 2132	388	e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe	rvtzlpyrgs.exe
PID 388 wrote to memory of 2132	388	e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe	rvtzlpyrgs.exe
PID 388 wrote to memory of 2132	388	e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe	rvtzlpyrgs.exe
PID 2132 wrote to memory of 2320	2132	rvtzlpyrgs.exe	rvtzlpyrgs.exe
PID 2132 wrote to memory of 2320	2132	rvtzlpyrgs.exe	rvtzlpyrgs.exe
PID 2132 wrote to memory of 2320	2132	rvtzlpyrgs.exe	rvtzlpyrgs.exe
PID 2132 wrote to memory of 2320	2132	rvtzlpyrgs.exe	rvtzlpyrgs.exe

outlook_office_path 1 IoCs

Processes:

rvtzlpyrgs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rvtzlpyrgs.exe

outlook_win_path 1 IoCs

Processes:

rvtzlpyrgs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rvtzlpyrgs.exe

C:\Users\Admin\AppData\Local\Temp\e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe
"C:\Users\Admin\AppData\Local\Temp\e524d7c7a6d4ade2651a65b9d0c5e162532a70495b957b9a5d34dcaaace571fe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe
"C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe" C:\Users\Admin\AppData\Local\Temp\xdnyr.wb
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe
"C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe" C:\Users\Admin\AppData\Local\Temp\xdnyr.wb
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqqlknbytl.sm

Filesize
104KB

MD5
11b231b1b7306b70ef25d54fac84fe3a

SHA1
f4492882af9358497ebb649ce135869fdbb78e89

SHA256
86a2b6783a599185d30db5e9a8a232d453a2310497b82d09ae7ee7601f0cafcd

SHA512
82a28b5c029ad1951968737bc80a8742710eff5083514c4af243d257c132463033724e274dd217ff411fddcad2e60d6c0c9147ef62628150ac81813fde095c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe

Filesize
320KB

MD5
f9208502b7624ba032dc4dd818b30c30

SHA1
cd76be3e4b437988d0bad4325a4da179e7e127bb

SHA256
0c49cef3f60cf1a48b60dfc066053c709b54ac83a5c39ca3f182f073d54a569e

SHA512
d16a621ffb7853ccc623f010440681f240f407aa8ba53c8888747de3d6206395a7e52c92c4224d085c1dbe605ca442b11d79a13f1b26e8e78c139879784d9f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe

Filesize
320KB

MD5
f9208502b7624ba032dc4dd818b30c30

SHA1
cd76be3e4b437988d0bad4325a4da179e7e127bb

SHA256
0c49cef3f60cf1a48b60dfc066053c709b54ac83a5c39ca3f182f073d54a569e

SHA512
d16a621ffb7853ccc623f010440681f240f407aa8ba53c8888747de3d6206395a7e52c92c4224d085c1dbe605ca442b11d79a13f1b26e8e78c139879784d9f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvtzlpyrgs.exe

Filesize
320KB

MD5
f9208502b7624ba032dc4dd818b30c30

SHA1
cd76be3e4b437988d0bad4325a4da179e7e127bb

SHA256
0c49cef3f60cf1a48b60dfc066053c709b54ac83a5c39ca3f182f073d54a569e

SHA512
d16a621ffb7853ccc623f010440681f240f407aa8ba53c8888747de3d6206395a7e52c92c4224d085c1dbe605ca442b11d79a13f1b26e8e78c139879784d9f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdnyr.wb

Filesize
5KB

MD5
3dec0845b56f914840219608229b6c46

SHA1
46a2e4e0c26f36f3297c0feaf17b28256bbe4f1f

SHA256
6b5a1ee266b6c954b473b361cbe526819de00c6d4bbfbab513ecf7ed7ec96885

SHA512
ca4838505dd2b4b323d5ea3a1862cef2a6b056fa366aafc9c75843f47c503c8360255f680dface66497bc691017b75f39ccaa8be0265bf51cf432d7de8f4ab14

Download Submit
memory/388-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-119-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-122-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-115-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-180-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-173-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-179-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-170-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-174-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-156-0x0000000000000000-mapping.dmp

Download
memory/2132-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-171-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-178-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-175-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-158-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-181-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-172-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-176-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-169-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2132-168-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/2320-255-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-234-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-202-0x00000000004139DE-mapping.dmp

Download