lokibot | de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9

General

Target

21f218355048519cbfe30b197a9ed5bb.exe
Size

339KB
MD5

21f218355048519cbfe30b197a9ed5bb
SHA1

ccb176d3bbea60567dc52439ffc0c127fa6eacc4
SHA256

de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9
SHA512

33e88f9b1f374c0c0ac4230876c661a2b4cf05de5b2d1dea46e5f55e4a6644532a95442b74d1e854e9036f9acd2f3c8c1825defcd450cf72fa468529e1feafdf
SSDEEP

3072:4fY/TU9fE9PEtuABKs4fOzqEbeSgikfcIwVN2lQ7+TZe1tnlDcnvGyNWLHgdzMlx:uYa6KMwqGrgihpQstanvGyNWLHiQQBDU

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

dvgxyu.exedvgxyu.exe

pid process

4944 dvgxyu.exe
4920 dvgxyu.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4944	dvgxyu.exe
4920	dvgxyu.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dvgxyu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dvgxyu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dvgxyu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dvgxyu.exe

description pid process target process

PID 4944 set thread context of 4920 4944 dvgxyu.exe dvgxyu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dvgxyu.exe

pid process

4944 dvgxyu.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dvgxyu.exe

description pid process

Token: SeDebugPrivilege 4920 dvgxyu.exe

description	pid	process	target process
PID 4944 set thread context of 4920	4944	dvgxyu.exe	dvgxyu.exe

pid	process
4944	dvgxyu.exe

description	pid	process
Token: SeDebugPrivilege	4920	dvgxyu.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

21f218355048519cbfe30b197a9ed5bb.exedvgxyu.exe

description	pid	process	target process
PID 4276 wrote to memory of 4944	4276	21f218355048519cbfe30b197a9ed5bb.exe	dvgxyu.exe
PID 4276 wrote to memory of 4944	4276	21f218355048519cbfe30b197a9ed5bb.exe	dvgxyu.exe
PID 4276 wrote to memory of 4944	4276	21f218355048519cbfe30b197a9ed5bb.exe	dvgxyu.exe
PID 4944 wrote to memory of 4920	4944	dvgxyu.exe	dvgxyu.exe
PID 4944 wrote to memory of 4920	4944	dvgxyu.exe	dvgxyu.exe
PID 4944 wrote to memory of 4920	4944	dvgxyu.exe	dvgxyu.exe
PID 4944 wrote to memory of 4920	4944	dvgxyu.exe	dvgxyu.exe

outlook_office_path 1 IoCs

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dvgxyu.exe

outlook_win_path 1 IoCs

Processes:

dvgxyu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dvgxyu.exe

C:\Users\Admin\AppData\Local\Temp\21f218355048519cbfe30b197a9ed5bb.exe
"C:\Users\Admin\AppData\Local\Temp\21f218355048519cbfe30b197a9ed5bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
"C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe" C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
"C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe

Filesize
53KB

MD5
ec4ee3046babbdde2b727200fe57e249

SHA1
4b2e0a80947bf22fae5d36e42672e2001f0925f6

SHA256
525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

SHA512
9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htumj.tgq

Filesize
124KB

MD5
efc554754a187541e8796eb668035bb3

SHA1
97f32f178cb14870ca365a0087e695058ace851d

SHA256
9ad33fcd12dc3d5ea791eea89a43690923204d3f264cf90821427b60cc5a526e

SHA512
47efd06e5c00786513ad92fc05e97cd41bcb68bc42b2c6ee72dd0fc600da22d3edef00a95784b1d0952893e841578a775375dba569e1c30c9288769986268e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv

Filesize
5KB

MD5
ecb37cd6ee8b9db9885ba717d4adb214

SHA1
c851738f41f381fb68ff02d4407c66a40674ac55

SHA256
5fc04ff9019f6cba12e94c9961b6c94487ad0173ad097c66b868f6cbdc5696ac

SHA512
11d1832f232790ceb0faea2f373654e3a91c2d028431692908d6de4c50bfe0664ae9ee4cc55ee5b106f68eb94c9f3547ae15b1a2e1e38fdded1a4c6a3fd7ab8d

Download Submit
memory/4920-137-0x0000000000000000-mapping.dmp

Download
memory/4920-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4920-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4944-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads