lokibot | 101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5

General

Target

583b316e6de1c82a372f4bb7c8f49c1a.exe
Size

335KB
MD5

583b316e6de1c82a372f4bb7c8f49c1a
SHA1

27931c3fc5e38a68364cc3544b380ebe55a675c6
SHA256

101d8857d8ca67256ce3fd72da19bc291045403bed786495aa916a572a780db5
SHA512

85a57f35cf7f06770b932af1d9909612ac87273a36755220c25a9ad01c2ba46e608608c847c9142809285c228e62b2ffb0b1bb8124d0d2a195e0f2d3815a7c75
SSDEEP

3072:ufY/TU9fE9PEtuEssssssS5ePlb/2w433sK+mk29NwhJABYymPDTeo30bB+QuOdj:YYa696E3kJhJoYnD6o5rOds8Q2LH

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/cody/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

hyftgszt.exehyftgszt.exe

pid process

908 hyftgszt.exe
1744 hyftgszt.exe
Loads dropped DLL 3 IoCs

Processes:

583b316e6de1c82a372f4bb7c8f49c1a.exehyftgszt.exe

pid process

1080 583b316e6de1c82a372f4bb7c8f49c1a.exe
1080 583b316e6de1c82a372f4bb7c8f49c1a.exe
908 hyftgszt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
908	hyftgszt.exe
1744	hyftgszt.exe

pid	process
1080	583b316e6de1c82a372f4bb7c8f49c1a.exe
1080	583b316e6de1c82a372f4bb7c8f49c1a.exe
908	hyftgszt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hyftgszt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hyftgszt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hyftgszt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hyftgszt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hyftgszt.exe

description pid process target process

PID 908 set thread context of 1744 908 hyftgszt.exe hyftgszt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hyftgszt.exe

pid process

908 hyftgszt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hyftgszt.exe

description pid process

Token: SeDebugPrivilege 1744 hyftgszt.exe

description	pid	process	target process
PID 908 set thread context of 1744	908	hyftgszt.exe	hyftgszt.exe

pid	process
908	hyftgszt.exe

description	pid	process
Token: SeDebugPrivilege	1744	hyftgszt.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

583b316e6de1c82a372f4bb7c8f49c1a.exehyftgszt.exe

description	pid	process	target process
PID 1080 wrote to memory of 908	1080	583b316e6de1c82a372f4bb7c8f49c1a.exe	hyftgszt.exe
PID 1080 wrote to memory of 908	1080	583b316e6de1c82a372f4bb7c8f49c1a.exe	hyftgszt.exe
PID 1080 wrote to memory of 908	1080	583b316e6de1c82a372f4bb7c8f49c1a.exe	hyftgszt.exe
PID 1080 wrote to memory of 908	1080	583b316e6de1c82a372f4bb7c8f49c1a.exe	hyftgszt.exe
PID 908 wrote to memory of 1744	908	hyftgszt.exe	hyftgszt.exe
PID 908 wrote to memory of 1744	908	hyftgszt.exe	hyftgszt.exe
PID 908 wrote to memory of 1744	908	hyftgszt.exe	hyftgszt.exe
PID 908 wrote to memory of 1744	908	hyftgszt.exe	hyftgszt.exe
PID 908 wrote to memory of 1744	908	hyftgszt.exe	hyftgszt.exe

outlook_office_path 1 IoCs

Processes:

hyftgszt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hyftgszt.exe

outlook_win_path 1 IoCs

Processes:

hyftgszt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hyftgszt.exe

C:\Users\Admin\AppData\Local\Temp\583b316e6de1c82a372f4bb7c8f49c1a.exe
"C:\Users\Admin\AppData\Local\Temp\583b316e6de1c82a372f4bb7c8f49c1a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe
"C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe" C:\Users\Admin\AppData\Local\Temp\qawrjdghhz.jgj
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe
"C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hrehabpx.km

Filesize
124KB

MD5
987afe48f707cb1e59dbbec778758a1b

SHA1
676c0bc16d007eefdc072decb8bae371534dfaa5

SHA256
81a18bbd185645bf12ead6c01cdeb166946020e510abeed6345c5d96f311e325

SHA512
67e0b6fbce3c77eb99496b72b52b95138ff09cb727165488b3ca304d66ee2ab358ab493d722893e2fb14699f7864638a1e15b41a17d4004e1e02a5374c2ba0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qawrjdghhz.jgj

Filesize
5KB

MD5
ac774ef28744c56edbf6d5cb5de9d6c5

SHA1
1c9e3285078f84663d624f3002694ddafdd00fe5

SHA256
fd7877a632d4d7f1eebe4459e9534744bbf881e59411b224f684121289ca1bfe

SHA512
ab3fe8dc8ff39fefe288753539f8e0844ab6b2f3f866c00e21153d060c6f088aaeba4b73e77e38cddecf1d87860d676d9bd9d735fbf4e7b0afa14943408164b5

Download Submit
\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
\Users\Admin\AppData\Local\Temp\hyftgszt.exe

Filesize
53KB

MD5
0c6300a091ee35abb79b47a9e885f13f

SHA1
07a8ce350be206cb1b4f368d2da049baa0c44bc1

SHA256
8f9e894ef7ea16ec6293e355c1cacecb9b09a368165ecd2ff68bced090c59244

SHA512
0b17112764ddafc087e655fad16462b208b06a792c492af5bfdd0971639b2bd8a318fb354d28e89503c3ec8cd48f1f38d9eb41a97719b17321d45550eedb52e6

Download Submit
memory/908-57-0x0000000000000000-mapping.dmp

Download
memory/1080-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1744-64-0x00000000004139DE-mapping.dmp

Download
memory/1744-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1744-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads