lokibot | 34cb99613940f2408bc3ca05b9fef7b8d490cd8cada151b65251a1f76fdddc81

General

Target

Shipping Docs_pdf.exe
Size

124KB
MD5

5d651c3d02ee8cc934ba8751b04bf8c4
SHA1

3daf473c34d4819067cec204e22160d8054d6eb9
SHA256

34cb99613940f2408bc3ca05b9fef7b8d490cd8cada151b65251a1f76fdddc81
SHA512

1be180287e2bdc41d28f7e6199172a6dc5b41d2f904b3a956a62d807a46cce4692a978b1ef148861b6e961c882f6d744ff8ff7f9db3785c3a4820b596724dfa9
SSDEEP

3072:QEhKzShSycSMmMFQFxhtIp+8wABgkXbm3PKGRAEN/LoG:QBn1mMGtt9JABgkC3CD8/kG

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://drinz.us/FILAZ/QU/coosaza.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1616	cvegwd.exe
1712	cvegwd.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	Shipping Docs_pdf.exe
1616	cvegwd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvegwd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cvegwd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvegwd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1616 set thread context of 1712	1616	cvegwd.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1616	cvegwd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	cvegwd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1616	1992	Shipping Docs_pdf.exe	28
PID 1992 wrote to memory of 1616	1992	Shipping Docs_pdf.exe	28
PID 1992 wrote to memory of 1616	1992	Shipping Docs_pdf.exe	28
PID 1992 wrote to memory of 1616	1992	Shipping Docs_pdf.exe	28
PID 1616 wrote to memory of 1712	1616	cvegwd.exe	29
PID 1616 wrote to memory of 1712	1616	cvegwd.exe	29
PID 1616 wrote to memory of 1712	1616	cvegwd.exe	29
PID 1616 wrote to memory of 1712	1616	cvegwd.exe	29
PID 1616 wrote to memory of 1712	1616	cvegwd.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvegwd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvegwd.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Docs_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Docs_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\cvegwd.exe
  "C:\Users\Admin\AppData\Local\Temp\cvegwd.exe" C:\Users\Admin\AppData\Local\Temp\amqiosqwe.gzw
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\cvegwd.exe
    "C:\Users\Admin\AppData\Local\Temp\cvegwd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amqiosqwe.gzw

Filesize
5KB

MD5
03d7cd842b2679afe1bc802ad9968bc3

SHA1
1a9bbc6160064f1c0b0c0372a2c6ed9cb8feb4bf

SHA256
83e9a62fbd2b967c51d383e128cca076c39fe3be1b1099e7075a6a74722fb42f

SHA512
4c2e427324b2a9db454c77744ef126cc892ea16b6d5b96deca8c104751a320fbf42bb15211bdd8dd269e5e5d32553c9ef289cc194c00ccf0b9c48664364eaee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvegwd.exe

Filesize
13KB

MD5
5900d1378e8e937dca25706140d935ff

SHA1
6b36b1b208eaeed0297298c677bdbb5e4af2bca4

SHA256
8cad7f3c8f8b91e8d0c6c7201d76afcc789cd0855a154ab3ebccf5ca6c11d6f6

SHA512
77da687ab9a1cbe8f67ff0b410e38bef5e993c981aa7f0f19d36de5ee72cc2ec0f57b942e6173f3608bc8556d74fe1d6ff781fec3698e41daa16d44ac5e1dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvegwd.exe

Filesize
13KB

MD5
5900d1378e8e937dca25706140d935ff

SHA1
6b36b1b208eaeed0297298c677bdbb5e4af2bca4

SHA256
8cad7f3c8f8b91e8d0c6c7201d76afcc789cd0855a154ab3ebccf5ca6c11d6f6

SHA512
77da687ab9a1cbe8f67ff0b410e38bef5e993c981aa7f0f19d36de5ee72cc2ec0f57b942e6173f3608bc8556d74fe1d6ff781fec3698e41daa16d44ac5e1dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvegwd.exe

Filesize
13KB

MD5
5900d1378e8e937dca25706140d935ff

SHA1
6b36b1b208eaeed0297298c677bdbb5e4af2bca4

SHA256
8cad7f3c8f8b91e8d0c6c7201d76afcc789cd0855a154ab3ebccf5ca6c11d6f6

SHA512
77da687ab9a1cbe8f67ff0b410e38bef5e993c981aa7f0f19d36de5ee72cc2ec0f57b942e6173f3608bc8556d74fe1d6ff781fec3698e41daa16d44ac5e1dc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpmqlxlzjm.tx

Filesize
104KB

MD5
fd37b9e13e0d59818e3ed3055a7f7abe

SHA1
1d50c2c2c25c5d330d3058b28a06ffcd9ae0ac89

SHA256
d07c51ad205e597bd4f1eef5a872741031862dc054e05cde0d9051c61a938b27

SHA512
730de506a36ee3fb62840c9c636812225360b7b7c8639127830977d721c766c8c94baa22f9cbd590ed81c9cd9b007d895ae76e3c50df780b6c8734861d55d0da

Download Submit
\Users\Admin\AppData\Local\Temp\cvegwd.exe

Filesize
13KB

MD5
5900d1378e8e937dca25706140d935ff

SHA1
6b36b1b208eaeed0297298c677bdbb5e4af2bca4

SHA256
8cad7f3c8f8b91e8d0c6c7201d76afcc789cd0855a154ab3ebccf5ca6c11d6f6

SHA512
77da687ab9a1cbe8f67ff0b410e38bef5e993c981aa7f0f19d36de5ee72cc2ec0f57b942e6173f3608bc8556d74fe1d6ff781fec3698e41daa16d44ac5e1dc25

Download Submit
\Users\Admin\AppData\Local\Temp\cvegwd.exe

Filesize
13KB

MD5
5900d1378e8e937dca25706140d935ff

SHA1
6b36b1b208eaeed0297298c677bdbb5e4af2bca4

SHA256
8cad7f3c8f8b91e8d0c6c7201d76afcc789cd0855a154ab3ebccf5ca6c11d6f6

SHA512
77da687ab9a1cbe8f67ff0b410e38bef5e993c981aa7f0f19d36de5ee72cc2ec0f57b942e6173f3608bc8556d74fe1d6ff781fec3698e41daa16d44ac5e1dc25

Download Submit
memory/1616-56-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x00000000004139DE-mapping.dmp

Download
memory/1712-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1712-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing