lokibot | 4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89

General

Target

4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe
Size

386KB
MD5

6ebb467dc49dbb2b90517da19cfb6c16
SHA1

0c3af6a618a75e73920c9872e50286eb987d6e79
SHA256

4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89
SHA512

3da116117767398befbd862294fbea6bb4d15eb21d8d6072722c8b7d80488b3f2668d3026d2d16bed9d669298b5c6e14c1d23f257729d50d6bd79931c2743637
SSDEEP

12288:1Y4UOpgCsQQjEyTpK/ucJKXH8HvuvJq4JI:1YF8gCbUQ/ucJKXXJq4JI

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
4808	rhpzsg.exe
1516	rhpzsg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rhpzsg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rhpzsg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rhpzsg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 1516	4808	rhpzsg.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4808	rhpzsg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	rhpzsg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4808	4892	4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe	82
PID 4892 wrote to memory of 4808	4892	4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe	82
PID 4892 wrote to memory of 4808	4892	4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe	82
PID 4808 wrote to memory of 1516	4808	rhpzsg.exe	84
PID 4808 wrote to memory of 1516	4808	rhpzsg.exe	84
PID 4808 wrote to memory of 1516	4808	rhpzsg.exe	84
PID 4808 wrote to memory of 1516	4808	rhpzsg.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rhpzsg.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rhpzsg.exe

C:\Users\Admin\AppData\Local\Temp\4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe
"C:\Users\Admin\AppData\Local\Temp\4f3f8153b0841789234621447e7cdf6754b4d8494482853304a849d1ef2c0d89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe
  "C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe" C:\Users\Admin\AppData\Local\Temp\shbfepsbon.p
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe
    "C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oxruw.oy

Filesize
124KB

MD5
45d43a67527c1d295b880c0c5b8d580a

SHA1
0a570fcd958d2008e99818dc8b5867d6d6d1c6cb

SHA256
0f10222c5e7c4c2ff3d612b18aae77ba441bc1a71efadb7787fb05b7f42e618c

SHA512
8ecc14e28da4b7cd67001f943044907c2582699d0fb11d8d5f79124334d0c843b089a6cd3689be6f00f91e9db0557c18c380f63b32d175af58483bc7aaa5fb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe

Filesize
86KB

MD5
1e2e4e14251f5fb091e7df38679ea434

SHA1
157ba1f3faa6321d44ed5aa91a30bb2c16f4a739

SHA256
9dba620aa4d116969f2b45e9659b0ae4dc862e2cc9775c42993428e2b48bc9f0

SHA512
d2454c49efc806f7f323b60d2539e0a396b30fbe4afa7fcf06dcdf65e8b2db48f94bb61179950c795988ab8e5485eb72fe7cc89d9b4b1d4f129e5aec2ac4cc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe

Filesize
86KB

MD5
1e2e4e14251f5fb091e7df38679ea434

SHA1
157ba1f3faa6321d44ed5aa91a30bb2c16f4a739

SHA256
9dba620aa4d116969f2b45e9659b0ae4dc862e2cc9775c42993428e2b48bc9f0

SHA512
d2454c49efc806f7f323b60d2539e0a396b30fbe4afa7fcf06dcdf65e8b2db48f94bb61179950c795988ab8e5485eb72fe7cc89d9b4b1d4f129e5aec2ac4cc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhpzsg.exe

Filesize
86KB

MD5
1e2e4e14251f5fb091e7df38679ea434

SHA1
157ba1f3faa6321d44ed5aa91a30bb2c16f4a739

SHA256
9dba620aa4d116969f2b45e9659b0ae4dc862e2cc9775c42993428e2b48bc9f0

SHA512
d2454c49efc806f7f323b60d2539e0a396b30fbe4afa7fcf06dcdf65e8b2db48f94bb61179950c795988ab8e5485eb72fe7cc89d9b4b1d4f129e5aec2ac4cc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\shbfepsbon.p

Filesize
5KB

MD5
0909d97c4abad6b4c31b80cf2dd8b101

SHA1
1c7d94f125edb4a12f7fe76de50c3e85f71e6146

SHA256
af32a458970a480cd33810c58e30acef83bfb9ca2c555c126f7f3569ce25407d

SHA512
84449c198ff1f62d44479e0e1d2aa56240bf408efde3a489d698c252d8c6c3b5267ae4ea149e425dacc49c20d040b809fc9efaa3c82395b69343b0ba4a9cf1ee

Download Submit
memory/1516-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1516-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing