lokibot | 6f7d710effbef4c9dde9997af6ca7790d879e8e190b21bd5a43e099b27f6eb8a

General

Target

5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe
Size

345KB
MD5

da0210cb16a56636b2d28c3f542173e2
SHA1

5c2f3610b4d02d7bdd87439ce17e49a51effefad
SHA256

6f7d710effbef4c9dde9997af6ca7790d879e8e190b21bd5a43e099b27f6eb8a
SHA512

5adade7016a711ac7784355c151f7837758d056331649bf904cfa4a6b06084ea9441ab07bc5d6302e107f88e8209edc54a010c9c04c8b81ea4203215d66f4915
SSDEEP

3072:0fY/TU9fE9PEtuzhbiXCZDs68q72mIJJik3VNr8z9asJeEoArhZ/iZDM20jrsH+o:CYa69liXCj7mJF7SffodhcfE+R6

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
536	ghlmj.exe
1440	ghlmj.exe

Loads dropped DLL 3 IoCs

pid	Process
1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe
1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe
536	ghlmj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ghlmj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ghlmj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ghlmj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 536 set thread context of 1440	536	ghlmj.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
536	ghlmj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	ghlmj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 536	1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe	28
PID 1360 wrote to memory of 536	1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe	28
PID 1360 wrote to memory of 536	1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe	28
PID 1360 wrote to memory of 536	1360	5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe	28
PID 536 wrote to memory of 1440	536	ghlmj.exe	29
PID 536 wrote to memory of 1440	536	ghlmj.exe	29
PID 536 wrote to memory of 1440	536	ghlmj.exe	29
PID 536 wrote to memory of 1440	536	ghlmj.exe	29
PID 536 wrote to memory of 1440	536	ghlmj.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ghlmj.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ghlmj.exe

C:\Users\Admin\AppData\Local\Temp\5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe
"C:\Users\Admin\AppData\Local\Temp\5c2f3610b4d02d7bdd87439ce17e49a51effefad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\ghlmj.exe
  "C:\Users\Admin\AppData\Local\Temp\ghlmj.exe" C:\Users\Admin\AppData\Local\Temp\kslmkms.i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\ghlmj.exe
    "C:\Users\Admin\AppData\Local\Temp\ghlmj.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ggcpalhrnre.u

Filesize
124KB

MD5
f80e837550cc4b8ba474491b616ac01d

SHA1
d7583cac66bba4c9bd51ac5937bed737f2b5bd6e

SHA256
6a8794ae27527f8b23566553db58757eca59170cff75e09a158dce4dc2dc386b

SHA512
55889c69bb1d30452e6a10b7b8bd4b53aaad4167bd435061cc91dcc1e1154df5ade7e54915f2f4e713d63158f12ba54287788d86fd3c14f9a6f931f011870134

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
C:\Users\Admin\AppData\Local\Temp\kslmkms.i

Filesize
5KB

MD5
dea5fcf3522dd933e473eb4a25870dc8

SHA1
05e935cd8a865f022d3df6c0ffffdd74abd9cc74

SHA256
154fc961aa511dcbab8bbfc6699f3765d8f71d590adcba323996830445afa51a

SHA512
ac7323e817193538fcb692a368c45a395dc143993865d4a69b479c74cb7a6f5caff9b50dad9ae9f409c23450558ee5a8240333ae103c3c55fb80ca772a7d2a4b

Download Submit
\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
\Users\Admin\AppData\Local\Temp\ghlmj.exe

Filesize
84KB

MD5
ed9b87824104603d6e22776cce91edf2

SHA1
659d001492da3b7e2e0fc2ab0ac6483970557a85

SHA256
9e87d9057bf4b0cd43310d8e042f6173a5e584b036a0ca7e9dd50aa032c58154

SHA512
80b10eb87817e3b535e78d31b39c99f09507bca24d9a5da088e07ab89eeb53197f7485266075480c8f96d908a8a20074d53cc07bb8175a3fbd6d6da3d7523317

Download Submit
memory/1360-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1440-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1440-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing