lokibot | 07d6addb52e531a21877d4a71131fd16f3117a0576c0aa3849c442bc6f0a6428

General

Target

9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe
Size

368KB
MD5

9a784ecdb9c3f17cb0ce22bbfa5ff8cc
SHA1

9bf266d003de99d2bb2ee338e30cf5e72f57cf3f
SHA256

07d6addb52e531a21877d4a71131fd16f3117a0576c0aa3849c442bc6f0a6428
SHA512

2b9ab641a7a55220505ce440d4beb923b15ce91e30ed1442ea115d1a4c202e5e8e6b72f82d987283e184d0cf663586f77e5e9aec5a1dfcf82d981cb9d5a31911
SSDEEP

6144:xYa6gGOll8k3moVAtqdeEEP8vIeOZE7yIGDS9d+uiN7V+8GSfim:xYV+3mnuePkQe37vedN7VTGsim

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

thwzbqdsb.exethwzbqdsb.exe

pid process

3328 thwzbqdsb.exe
3068 thwzbqdsb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3328	thwzbqdsb.exe
3068	thwzbqdsb.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

thwzbqdsb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	thwzbqdsb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	thwzbqdsb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	thwzbqdsb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

thwzbqdsb.exe

description pid process target process

PID 3328 set thread context of 3068 3328 thwzbqdsb.exe thwzbqdsb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

thwzbqdsb.exe

pid process

3328 thwzbqdsb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

thwzbqdsb.exe

description pid process

Token: SeDebugPrivilege 3068 thwzbqdsb.exe

description	pid	process	target process
PID 3328 set thread context of 3068	3328	thwzbqdsb.exe	thwzbqdsb.exe

pid	process
3328	thwzbqdsb.exe

description	pid	process
Token: SeDebugPrivilege	3068	thwzbqdsb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exethwzbqdsb.exe

description	pid	process	target process
PID 2064 wrote to memory of 3328	2064	9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe	thwzbqdsb.exe
PID 2064 wrote to memory of 3328	2064	9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe	thwzbqdsb.exe
PID 2064 wrote to memory of 3328	2064	9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe	thwzbqdsb.exe
PID 3328 wrote to memory of 3068	3328	thwzbqdsb.exe	thwzbqdsb.exe
PID 3328 wrote to memory of 3068	3328	thwzbqdsb.exe	thwzbqdsb.exe
PID 3328 wrote to memory of 3068	3328	thwzbqdsb.exe	thwzbqdsb.exe
PID 3328 wrote to memory of 3068	3328	thwzbqdsb.exe	thwzbqdsb.exe

outlook_office_path 1 IoCs

Processes:

thwzbqdsb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	thwzbqdsb.exe

outlook_win_path 1 IoCs

Processes:

thwzbqdsb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	thwzbqdsb.exe

C:\Users\Admin\AppData\Local\Temp\9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe
"C:\Users\Admin\AppData\Local\Temp\9a784ecdb9c3f17cb0ce22bbfa5ff8cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe
"C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe" C:\Users\Admin\AppData\Local\Temp\xshvjgjld.vx
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe
"C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\snicsovauti.j

Filesize
124KB

MD5
5ccc6ce5699ed1187c791d4b61f398a4

SHA1
a2fa13009e2fe3505a51014b32794f6c6245a77c

SHA256
abe00b4eebae57a9be9788748c1c54922fe58e692175bc47f12fa6af07661fb5

SHA512
726f5dded3f35db2188d938fba210a91d69a58cef25f2d2dd9c900aff6161f6eba9eb36f47c3d54579cc5bd9079243072ae39e1155629df4fe7801ad18dd6dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe

Filesize
53KB

MD5
9e5242d10c1317e72576df0f9189f908

SHA1
ef71378072a863c5d04344cf39d19edb9068744f

SHA256
5a821d419a07cbf521d67d6287d390ded438cca318fb17902e405873508956e3

SHA512
3e84c60944ea29fe2d5dd23621c90e662f2bd2e9fa3b1c1f72ba77bcab43245dcdbeefaf622c31521d049a2a51f55f987a22aff42a2cecd8f6a3bdd5053ae5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe

Filesize
53KB

MD5
9e5242d10c1317e72576df0f9189f908

SHA1
ef71378072a863c5d04344cf39d19edb9068744f

SHA256
5a821d419a07cbf521d67d6287d390ded438cca318fb17902e405873508956e3

SHA512
3e84c60944ea29fe2d5dd23621c90e662f2bd2e9fa3b1c1f72ba77bcab43245dcdbeefaf622c31521d049a2a51f55f987a22aff42a2cecd8f6a3bdd5053ae5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\thwzbqdsb.exe

Filesize
53KB

MD5
9e5242d10c1317e72576df0f9189f908

SHA1
ef71378072a863c5d04344cf39d19edb9068744f

SHA256
5a821d419a07cbf521d67d6287d390ded438cca318fb17902e405873508956e3

SHA512
3e84c60944ea29fe2d5dd23621c90e662f2bd2e9fa3b1c1f72ba77bcab43245dcdbeefaf622c31521d049a2a51f55f987a22aff42a2cecd8f6a3bdd5053ae5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xshvjgjld.vx

Filesize
5KB

MD5
47d99fcab07bb62e396c7fb2761ee3b5

SHA1
4a0840e75337428b1a990bded8e4504339cf8e1b

SHA256
63a96674d8cfb3cd833a14f101e821c5bf292d71aedee35b6f711529524471fa

SHA512
fc8f979283086ec5abb07262446850be93f753a4f908a29be558b34a96c51d75131572069a94088fdd747708c1c3264293e16704934766a55edd4a6301623a63

Download Submit
memory/3068-137-0x0000000000000000-mapping.dmp

Download
memory/3068-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3068-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3328-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads