lokibot | 92f02267b83e00b83065045722c1a7824debe30a5ca361970ad83013132b92af

General

Target

vbc (6).exe
Size

137KB
MD5

47add7d8c9c3e7f58d7630ebb3c6e72a
SHA1

0f9b2420eef4a62066161faafbd5794f7241e5db
SHA256

92f02267b83e00b83065045722c1a7824debe30a5ca361970ad83013132b92af
SHA512

ad69926161b497339b7462a3a65c500bc559f513fd004b7d7fe6f63d65ceb5edb0df0b98ba84bc88b1c00b56ad197d331d1431492d2d51a84544e46cfb803741
SSDEEP

3072:QEhKzShSycSMm0MTgSo/C+Nc0JBCeEjvSGWYU4aBaSH1QOVYZc:QBn1FigAGLEj5Wh4aBaQ66YZc

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://208.67.105.162/soft/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

xrxkkg.exexrxkkg.exe

pid process

4904 xrxkkg.exe
2348 xrxkkg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4904	xrxkkg.exe
2348	xrxkkg.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

xrxkkg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xrxkkg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	xrxkkg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xrxkkg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

xrxkkg.exe

description pid process target process

PID 4904 set thread context of 2348 4904 xrxkkg.exe xrxkkg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

xrxkkg.exe

pid process

4904 xrxkkg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xrxkkg.exe

description pid process

Token: SeDebugPrivilege 2348 xrxkkg.exe

description	pid	process	target process
PID 4904 set thread context of 2348	4904	xrxkkg.exe	xrxkkg.exe

pid	process
4904	xrxkkg.exe

description	pid	process
Token: SeDebugPrivilege	2348	xrxkkg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

vbc (6).exexrxkkg.exe

description	pid	process	target process
PID 3464 wrote to memory of 4904	3464	vbc (6).exe	xrxkkg.exe
PID 3464 wrote to memory of 4904	3464	vbc (6).exe	xrxkkg.exe
PID 3464 wrote to memory of 4904	3464	vbc (6).exe	xrxkkg.exe
PID 4904 wrote to memory of 2348	4904	xrxkkg.exe	xrxkkg.exe
PID 4904 wrote to memory of 2348	4904	xrxkkg.exe	xrxkkg.exe
PID 4904 wrote to memory of 2348	4904	xrxkkg.exe	xrxkkg.exe
PID 4904 wrote to memory of 2348	4904	xrxkkg.exe	xrxkkg.exe

outlook_office_path 1 IoCs

Processes:

xrxkkg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	xrxkkg.exe

outlook_win_path 1 IoCs

Processes:

xrxkkg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	xrxkkg.exe

C:\Users\Admin\AppData\Local\Temp\vbc (6).exe
"C:\Users\Admin\AppData\Local\Temp\vbc (6).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe
"C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe" C:\Users\Admin\AppData\Local\Temp\fztrazoia.rq
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe
"C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe" C:\Users\Admin\AppData\Local\Temp\fztrazoia.rq
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cppomy.zt
Filesize
104KB

MD5
b02de9af24a2da5810b04a36f3f23006

SHA1
b66617784fec0e68d03f65b7c2e9bef94dea954a

SHA256
9493192a2bee05eaf5c9d49be3b3f9707c6755350b16422fbeb0aeba0c0e3fe7

SHA512
17fe17deb6b20aed6af48c05a7fb331ea25eda397c043c1574b3e0d3880113a0001a370dcc07d53f38572c3852fcc36e391e12002681d9e94090065d98a76178

Download Submit
C:\Users\Admin\AppData\Local\Temp\fztrazoia.rq
Filesize
5KB

MD5
4f6c1ef2a4a07c4a38754a5951ff5320

SHA1
5a532c4fb193eb92011ffed79ab207f47bbc0866

SHA256
2f60fcd13356c05f68ae6be81ad22c0ffeb9a16b2a43a4eeb74eb89ed8b934e5

SHA512
4becdc4a4c948e7d66e743f62bb73317d52e8bc050806a5b3586422afa13d5b280deddca18fb230f44e3c5165128895119523fec278811324feeeecce8d04c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe
Filesize
46KB

MD5
d32308dd6563efa12e76bddef9dc24e5

SHA1
eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3

SHA256
ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc

SHA512
4ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe
Filesize
46KB

MD5
d32308dd6563efa12e76bddef9dc24e5

SHA1
eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3

SHA256
ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc

SHA512
4ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrxkkg.exe
Filesize
46KB

MD5
d32308dd6563efa12e76bddef9dc24e5

SHA1
eb9fdcfa8e98b2deb7d337b7e084f56e49ec13b3

SHA256
ce6fc6c1ba4614e243a06372d246f7ef9f30545c608c32b5c011f60e97df79cc

SHA512
4ef3f1ecc261883d66be6af8884daba4a1d266c6e1111a36d922dbcda2c054f4fe6daa94ffd3492fc059af87598a0f710d086b49dc3a1a8166bac7cef7cf7b2f

Download Submit
memory/2348-137-0x0000000000000000-mapping.dmp

Download
memory/2348-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2348-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4904-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads