lokibot | caf4b4bad63a29bd428dcad17ca627977a8940605bb047c0d4d9580724d24d89

General

Target

e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe
Size

355KB
MD5

02efabc9954928844676eeb598c44ee8
SHA1

9c1b25bc746486f1a076082562e74371deb4ec66
SHA256

e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e
SHA512

397018dbeef969e0f80cfbc9d7a04fec10512e658bed86a7565a462339f3a187a0cb1fc1507ae3523b52de3272748b44bf8074aa45020c26a44a7daa256ef89f
SSDEEP

6144:okwCnl6tA5ObRvwRwof8XaoJduSxAIiHUOadrtd:P5ObvokXlfATk

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://kene.us/ASAZI/bul.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

hgvyd.exehgvyd.exe

pid process

4568 hgvyd.exe
1032 hgvyd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4568	hgvyd.exe
1032	hgvyd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hgvyd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hgvyd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hgvyd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hgvyd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hgvyd.exe

description pid process target process

PID 4568 set thread context of 1032 4568 hgvyd.exe hgvyd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hgvyd.exe

pid process

4568 hgvyd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hgvyd.exe

description pid process

Token: SeDebugPrivilege 1032 hgvyd.exe

description	pid	process	target process
PID 4568 set thread context of 1032	4568	hgvyd.exe	hgvyd.exe

pid	process
4568	hgvyd.exe

description	pid	process
Token: SeDebugPrivilege	1032	hgvyd.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exehgvyd.exe

description	pid	process	target process
PID 944 wrote to memory of 4568	944	e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe	hgvyd.exe
PID 944 wrote to memory of 4568	944	e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe	hgvyd.exe
PID 944 wrote to memory of 4568	944	e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe	hgvyd.exe
PID 4568 wrote to memory of 1032	4568	hgvyd.exe	hgvyd.exe
PID 4568 wrote to memory of 1032	4568	hgvyd.exe	hgvyd.exe
PID 4568 wrote to memory of 1032	4568	hgvyd.exe	hgvyd.exe
PID 4568 wrote to memory of 1032	4568	hgvyd.exe	hgvyd.exe

outlook_office_path 1 IoCs

Processes:

hgvyd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hgvyd.exe

outlook_win_path 1 IoCs

Processes:

hgvyd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hgvyd.exe

C:\Users\Admin\AppData\Local\Temp\e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe
"C:\Users\Admin\AppData\Local\Temp\e09911ae184264e67137f1d9a9a0e38f7f9b736aadf20d6ffb3f28edde9a194e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\hgvyd.exe
"C:\Users\Admin\AppData\Local\Temp\hgvyd.exe" C:\Users\Admin\AppData\Local\Temp\hpdcjdfdly.rp
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\hgvyd.exe
"C:\Users\Admin\AppData\Local\Temp\hgvyd.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hgvyd.exe

Filesize
79KB

MD5
59ff36c42465b2c58d5ee1892a31599e

SHA1
ac59a2735cd7ffd2e0a05627c543b4656d302136

SHA256
3e70ed1ece6279bcd4ac85288f9ead0f94f32ddcb700f246765d465b2853e935

SHA512
f3f0b0c9b2d7aacca9d8a86b3a54cf2ac167823022f3945d501c2e678c37eba8571649c02fffefb9e752d79327a3c9d3923ed3efcfd7206082800a871e35f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgvyd.exe

Filesize
79KB

MD5
59ff36c42465b2c58d5ee1892a31599e

SHA1
ac59a2735cd7ffd2e0a05627c543b4656d302136

SHA256
3e70ed1ece6279bcd4ac85288f9ead0f94f32ddcb700f246765d465b2853e935

SHA512
f3f0b0c9b2d7aacca9d8a86b3a54cf2ac167823022f3945d501c2e678c37eba8571649c02fffefb9e752d79327a3c9d3923ed3efcfd7206082800a871e35f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgvyd.exe

Filesize
79KB

MD5
59ff36c42465b2c58d5ee1892a31599e

SHA1
ac59a2735cd7ffd2e0a05627c543b4656d302136

SHA256
3e70ed1ece6279bcd4ac85288f9ead0f94f32ddcb700f246765d465b2853e935

SHA512
f3f0b0c9b2d7aacca9d8a86b3a54cf2ac167823022f3945d501c2e678c37eba8571649c02fffefb9e752d79327a3c9d3923ed3efcfd7206082800a871e35f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpdcjdfdly.rp

Filesize
5KB

MD5
6b9fd42673888fb3c1c7a566670f51d5

SHA1
1d318d27965b3a4ad0138b58471b1245ae960d31

SHA256
6cfb6e8cbf569cbcf68476d31bf86470cbcb9076e68eb2b9bcb09f91f53f547b

SHA512
669634b1b32813c8c538eac22245aecfc09e917583e9e7b7cac2a3d190d6ae56745471abc06e2afc1b8e406fbb66b232b6d074688e59f86e2a610c6a0c4a1018

Download Submit
C:\Users\Admin\AppData\Local\Temp\thyrwkj.n

Filesize
104KB

MD5
a9ff428856d1c11877e8f695f79a4fe5

SHA1
0a773c9b578beea0fab794f08eab04945821bde9

SHA256
8b6ee98e5fce13e408aa8a37679c6e2c865f50466b52e3329142be3beddddfb1

SHA512
4bcb74e20e4d09ecca779e49f820d5fac9fd85ca52fb91cc3f9ed19e2bbcc84484e7bb732cac11e42f75e7ad5edfae652466f0e73010fd0dbd79f9997c17341c

Download Submit
memory/1032-137-0x0000000000000000-mapping.dmp

Download
memory/1032-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1032-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4568-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads