lokibot | 9d1ef7527f27870acabb3066ff486e312887c5f3e34578da8729b2b460c66acd

General

Target

b9b8dd22b7c9f62e75991a3b73e17e2c.exe
Size

289KB
MD5

b9b8dd22b7c9f62e75991a3b73e17e2c
SHA1

fa60401daeb0fcb9e4e78d046cf0591275485d40
SHA256

9d1ef7527f27870acabb3066ff486e312887c5f3e34578da8729b2b460c66acd
SHA512

7718cfc1b407343061a1adcdc480b55e91ce2efcbffbadf6a76a4aa4e77611944cf3921b808a16efa1f27410b2be74b457f5932c61ce8235eac5d7f772ce9cb5
SSDEEP

6144:oYa6A0GkCpOZRAHyFgPgd+UjtFsFo14K4:oYW0GkCwZrF0UjtuFoa3

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/cody/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

exotn.exeexotn.exe

pid process

3444 exotn.exe
4200 exotn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3444	exotn.exe
4200	exotn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

exotn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exotn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	exotn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exotn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

exotn.exe

description pid process target process

PID 3444 set thread context of 4200 3444 exotn.exe exotn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

exotn.exe

pid process

3444 exotn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

exotn.exe

description pid process

Token: SeDebugPrivilege 4200 exotn.exe

description	pid	process	target process
PID 3444 set thread context of 4200	3444	exotn.exe	exotn.exe

pid	process
3444	exotn.exe

description	pid	process
Token: SeDebugPrivilege	4200	exotn.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b9b8dd22b7c9f62e75991a3b73e17e2c.exeexotn.exe

description	pid	process	target process
PID 5088 wrote to memory of 3444	5088	b9b8dd22b7c9f62e75991a3b73e17e2c.exe	exotn.exe
PID 5088 wrote to memory of 3444	5088	b9b8dd22b7c9f62e75991a3b73e17e2c.exe	exotn.exe
PID 5088 wrote to memory of 3444	5088	b9b8dd22b7c9f62e75991a3b73e17e2c.exe	exotn.exe
PID 3444 wrote to memory of 4200	3444	exotn.exe	exotn.exe
PID 3444 wrote to memory of 4200	3444	exotn.exe	exotn.exe
PID 3444 wrote to memory of 4200	3444	exotn.exe	exotn.exe
PID 3444 wrote to memory of 4200	3444	exotn.exe	exotn.exe

outlook_office_path 1 IoCs

Processes:

exotn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	exotn.exe

outlook_win_path 1 IoCs

Processes:

exotn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	exotn.exe

C:\Users\Admin\AppData\Local\Temp\b9b8dd22b7c9f62e75991a3b73e17e2c.exe
"C:\Users\Admin\AppData\Local\Temp\b9b8dd22b7c9f62e75991a3b73e17e2c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\exotn.exe
"C:\Users\Admin\AppData\Local\Temp\exotn.exe" C:\Users\Admin\AppData\Local\Temp\uxjjgwmgqe.vw
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\exotn.exe
"C:\Users\Admin\AppData\Local\Temp\exotn.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exotn.exe

Filesize
50KB

MD5
e8cc37b5e993aa30933b047c0827d8b4

SHA1
68d2aa6845b62fa7fbb94e9183cbfed44c96a5fd

SHA256
a6e057772e1f0fd07e9fb6e8a5e79f81d09dc78ae00d939e59dd8a6cd473de40

SHA512
df4bcfa56348c1a5bd7b57f703768b734b09487824d1dfe7efa8eb59a9a91cdb7a60aada21914c353ca82112eed61b469af598c6ae19ab1be57c75f0e7be0f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exotn.exe

Filesize
50KB

MD5
e8cc37b5e993aa30933b047c0827d8b4

SHA1
68d2aa6845b62fa7fbb94e9183cbfed44c96a5fd

SHA256
a6e057772e1f0fd07e9fb6e8a5e79f81d09dc78ae00d939e59dd8a6cd473de40

SHA512
df4bcfa56348c1a5bd7b57f703768b734b09487824d1dfe7efa8eb59a9a91cdb7a60aada21914c353ca82112eed61b469af598c6ae19ab1be57c75f0e7be0f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exotn.exe

Filesize
50KB

MD5
e8cc37b5e993aa30933b047c0827d8b4

SHA1
68d2aa6845b62fa7fbb94e9183cbfed44c96a5fd

SHA256
a6e057772e1f0fd07e9fb6e8a5e79f81d09dc78ae00d939e59dd8a6cd473de40

SHA512
df4bcfa56348c1a5bd7b57f703768b734b09487824d1dfe7efa8eb59a9a91cdb7a60aada21914c353ca82112eed61b469af598c6ae19ab1be57c75f0e7be0f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fllcce.d

Filesize
124KB

MD5
d1873230b7906fd6c5739024baa7ded0

SHA1
1ce73f8bb23e6064530f4ae7c46d4ffc28deab67

SHA256
a9afd427e9c1724b64efbe598b758a45991db8dfa473154143419db7edfd34b3

SHA512
1c679452c119dffe9d3a3b1ab1e5ac0f62f7b6bc1d41b8f90c355695918911abb0dbacc6715d77ce85ef813cacd0c3c7e23baf2a9a42d9db1e70809688966ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxjjgwmgqe.vw

Filesize
5KB

MD5
ac9b2ba0908996f16c959d6ef75d2c1e

SHA1
b1cf1d1c8df6481baf2fe0716ba40957fb66dd6b

SHA256
2128c7c286ab8b6fa9e038100855e975d08b883a001cc80a5c136b95677a2fa3

SHA512
37f761783a34cdecef69deac5204bc4442d994f0ad555ec4bebd84bfa6003f223e22daeae1850c740fe437cfdaaf8ad2b8201728cfc14a21a0083e86729ff1b2

Download Submit
memory/3444-132-0x0000000000000000-mapping.dmp

Download
memory/4200-137-0x0000000000000000-mapping.dmp

Download
memory/4200-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4200-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads