lokibot | 59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3

General

Target

64756e8f5c253a58f8fc8e95a708f647.exe
Size

418KB
MD5

64756e8f5c253a58f8fc8e95a708f647
SHA1

7e28c11a713061bcad93b8faf2e238a552668bee
SHA256

59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3
SHA512

ae977d3ee77ad647f8ddd28bbf05c88c94afd07c188564065905618d4d74c3696c237e969bda2a0b1b5b1cf05744a914515b6bf7cb9d8ced55913ee7c5f742b0
SSDEEP

6144:UYa6hP5KTnXklp3bCljXWNoJ9oQy5To2uMA040vv8tNatjWxG:UY8TnUlNAXWNoJfT2tT4288x

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

lpubwzrt.exelpubwzrt.exe

pid process

1972 lpubwzrt.exe
1000 lpubwzrt.exe
Loads dropped DLL 3 IoCs

Processes:

64756e8f5c253a58f8fc8e95a708f647.exelpubwzrt.exe

pid process

2016 64756e8f5c253a58f8fc8e95a708f647.exe
2016 64756e8f5c253a58f8fc8e95a708f647.exe
1972 lpubwzrt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1972	lpubwzrt.exe
1000	lpubwzrt.exe

pid	process
2016	64756e8f5c253a58f8fc8e95a708f647.exe
2016	64756e8f5c253a58f8fc8e95a708f647.exe
1972	lpubwzrt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lpubwzrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	lpubwzrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lpubwzrt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lpubwzrt.exe

description pid process target process

PID 1972 set thread context of 1000 1972 lpubwzrt.exe lpubwzrt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lpubwzrt.exe

pid process

1972 lpubwzrt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lpubwzrt.exe

description pid process

Token: SeDebugPrivilege 1000 lpubwzrt.exe

description	pid	process	target process
PID 1972 set thread context of 1000	1972	lpubwzrt.exe	lpubwzrt.exe

pid	process
1972	lpubwzrt.exe

description	pid	process
Token: SeDebugPrivilege	1000	lpubwzrt.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

64756e8f5c253a58f8fc8e95a708f647.exelpubwzrt.exe

description	pid	process	target process
PID 2016 wrote to memory of 1972	2016	64756e8f5c253a58f8fc8e95a708f647.exe	lpubwzrt.exe
PID 2016 wrote to memory of 1972	2016	64756e8f5c253a58f8fc8e95a708f647.exe	lpubwzrt.exe
PID 2016 wrote to memory of 1972	2016	64756e8f5c253a58f8fc8e95a708f647.exe	lpubwzrt.exe
PID 2016 wrote to memory of 1972	2016	64756e8f5c253a58f8fc8e95a708f647.exe	lpubwzrt.exe
PID 1972 wrote to memory of 1000	1972	lpubwzrt.exe	lpubwzrt.exe
PID 1972 wrote to memory of 1000	1972	lpubwzrt.exe	lpubwzrt.exe
PID 1972 wrote to memory of 1000	1972	lpubwzrt.exe	lpubwzrt.exe
PID 1972 wrote to memory of 1000	1972	lpubwzrt.exe	lpubwzrt.exe
PID 1972 wrote to memory of 1000	1972	lpubwzrt.exe	lpubwzrt.exe

outlook_office_path 1 IoCs

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lpubwzrt.exe

outlook_win_path 1 IoCs

Processes:

lpubwzrt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lpubwzrt.exe

C:\Users\Admin\AppData\Local\Temp\64756e8f5c253a58f8fc8e95a708f647.exe
"C:\Users\Admin\AppData\Local\Temp\64756e8f5c253a58f8fc8e95a708f647.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe
"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe" C:\Users\Admin\AppData\Local\Temp\dqzmvns.g
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe
"C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvlfwhldw.fdl

Filesize
124KB

MD5
61abf3581a3e06a83eea49025d16fc93

SHA1
e12e72a053fc908c218172ede2eb0c8b341661d2

SHA256
f86753be7afbe8b3b89179dd283459b00914367c19bbd89a6fad112117af93c9

SHA512
c90d6220d935a879895d2480c4ed9d2506b2a28c8891e35790523a09e76965481aef7e6d30b634cdf49cb91640cf56257dcac0cb7b5e00f40777c67ff951d6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqzmvns.g

Filesize
5KB

MD5
1150f13d89e2a0154b11a2f20e9df7e6

SHA1
5cf36041f5721c64dd8e1fa8ff25fd29c456eb25

SHA256
496366e6c6d3a2b4e624962b0c97788c6b5a419963f4668a001fd6c1642e1c4c

SHA512
8889c9b97dbc6b8d9b975c1320977d8c91697069b510f7fa65df97da211d5008f9a646ff98f9bbf21241bd7a76c5af81a742b817007b94f530f840c152382007

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
\Users\Admin\AppData\Local\Temp\lpubwzrt.exe

Filesize
100KB

MD5
7e0a3613230aaf331bc7afc9e46ba7c1

SHA1
d364d6b1cad9f4bef2518ed78ab66c55c411bcc4

SHA256
83f1f7e25cd82d66a8dfcb1a427f61d4c8d856300fc2df248d70d0dab560bfd9

SHA512
06b9e5bbf8194cccfa80c71682746f8f1af4e76457713e3a86e6b650266e1f8f5378affde3618c9d3fa087bffbbcf872e5c03cad2b4a222c402c1e4faa962f2d

Download Submit
memory/1000-64-0x00000000004139DE-mapping.dmp

Download
memory/1000-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1000-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads