lokibot | be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7

General

Target

be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe
Size

410KB
MD5

8e3f5686982c6fb28ca05be8afa2945c
SHA1

a07552b36fb3446c1bf933839aac0c5c2ac85413
SHA256

be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7
SHA512

9618d5fba1fe3923d4b9bdc18fd54fd9f2b41db43b9b9b2829eb70f7dee889e33d3844cb9517bcba85d5105571fcf46dfcab1a9872f965cfdedd7250498daaaf
SSDEEP

12288:aYHhXUJtDHuZ53MFG0bS+vzw7Ob5GlLtieM+YzwIP:aYHhXMucF5SwzwQ+t+p

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

nkdvifms.exenkdvifms.exe

pid process

2360 nkdvifms.exe
1512 nkdvifms.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2360	nkdvifms.exe
1512	nkdvifms.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nkdvifms.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	nkdvifms.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nkdvifms.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nkdvifms.exe

description pid process target process

PID 2360 set thread context of 1512 2360 nkdvifms.exe nkdvifms.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nkdvifms.exe

pid process

2360 nkdvifms.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nkdvifms.exe

description pid process

Token: SeDebugPrivilege 1512 nkdvifms.exe

description	pid	process	target process
PID 2360 set thread context of 1512	2360	nkdvifms.exe	nkdvifms.exe

pid	process
2360	nkdvifms.exe

description	pid	process
Token: SeDebugPrivilege	1512	nkdvifms.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exenkdvifms.exe

description	pid	process	target process
PID 3740 wrote to memory of 2360	3740	be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe	nkdvifms.exe
PID 3740 wrote to memory of 2360	3740	be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe	nkdvifms.exe
PID 3740 wrote to memory of 2360	3740	be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe	nkdvifms.exe
PID 2360 wrote to memory of 1512	2360	nkdvifms.exe	nkdvifms.exe
PID 2360 wrote to memory of 1512	2360	nkdvifms.exe	nkdvifms.exe
PID 2360 wrote to memory of 1512	2360	nkdvifms.exe	nkdvifms.exe
PID 2360 wrote to memory of 1512	2360	nkdvifms.exe	nkdvifms.exe

outlook_office_path 1 IoCs

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nkdvifms.exe

outlook_win_path 1 IoCs

Processes:

nkdvifms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nkdvifms.exe

C:\Users\Admin\AppData\Local\Temp\be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe
"C:\Users\Admin\AppData\Local\Temp\be6c4deb16404e0a19816416d4b40cca5343115fc2fe3cf0d63ebc9821d628e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe
"C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe" C:\Users\Admin\AppData\Local\Temp\hmedw.p
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe
"C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmedw.p

Filesize
6KB

MD5
fd51be72426c39dc00f2b205f6833842

SHA1
57b2789688d6f661560a04ade85b93da51157d27

SHA256
b896a8708e886a084f33b9121ba0c706d8c49fe20ea5ee9a12d3d8607d891506

SHA512
55d20776296db0fdd81df8ea70f601ec249cfc3ec87f69151c51ab2934c426a02b1acc66a2a8f0d9281e074c13a919ee4f9ad89d0070786c6747523d540b3baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkdvifms.exe

Filesize
100KB

MD5
7a42faf6b143e8fdb37b2a5b81e6c12e

SHA1
6387197a404e96da47dd4aa6d288fed647146514

SHA256
aeb928e5e4d606bea2a22740a0bfbf8d32250107af71f1aa5ad53f6ea9c15e4f

SHA512
0d39585c2ae20878af9e42d9d33cdb8f5fb6cac72a01ccb245d478b66a92bf55ab924d8cf7b349b17e62e8122b528b08a0562f0fc01013d30d47acfe9c412637

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxxmjmgo.k

Filesize
124KB

MD5
ace55a7b52c7d502500c8c47650dd135

SHA1
aa370c3828ae5aa80e78fe6ed0bd8cebf22f68f3

SHA256
5ad2b3d31c912c02a656c49b681fe8d6d5b49eb77d19a07858392c88a61bd1bf

SHA512
84ac3071e813cc1acdb27b0e90984e16774f89239c7d1389385a2c1eab4b86531e357fb1b82fe6677a5a82234cec73426f1e94fff619b2bdac2c2255ab8c082d

Download Submit
memory/1512-137-0x0000000000000000-mapping.dmp

Download
memory/1512-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1512-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2360-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads