lokibot | dc35769a749ae7caae46ba23c25c6cf8708a5e702b8dcf7d57fa365c8895d515

Analysis

max time kernel
127s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(ZEPP Transport GmbHPO07960)doc.exe
Size

227KB
MD5

3c1f57b52d90b7597e57fcd4480f567a
SHA1

7bb6056875856d4e22a82a9d98edba7451253a13
SHA256

dc35769a749ae7caae46ba23c25c6cf8708a5e702b8dcf7d57fa365c8895d515
SHA512

1aa8ab514805df64bb7480a430a750d4744fdd659a5743b6205c9ea6a53645275ba67de3c2019590046fe44c67625ae7f210e2aaa139fb5495aef19d8036dac2
SSDEEP

6144:Q42xwMxES6pJRXDXg20zq/FNvkMA93m8h:NMMzTizIF9c93D

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://efvsx.tk/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	(ZEPP Transport GmbHPO07960)doc.exe
Token: SeDebugPrivilege	1044	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82
PID 4572 wrote to memory of 1044	4572	(ZEPP Transport GmbHPO07960)doc.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\(ZEPP Transport GmbHPO07960)doc.exe
"C:\Users\Admin\AppData\Local\Temp\(ZEPP Transport GmbHPO07960)doc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-135-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1044-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1044-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1044-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4572-132-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/4572-133-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download