lokibot | b4b91ec279ef9a76856760c350e59e1d7e96c1b921fe7a2121093e2dccdb51b9

General

Target

9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe
Size

596KB
MD5

b98727e791f0d577d71eb9ca233d7d9b
SHA1

108b1efdabf10836584c22ae042b5913d7a5a856
SHA256

9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2
SHA512

19cb802c64fcef080c35fff81bad5c2d4d862a443025bf0da733ed1d8b8ad5f57cc019f16e66fd91d78aef4d8777e30bae5d8bc8cb8871b88475cee847a537c0
SSDEEP

6144:4Ya6XCxwHwR6cDMOjbqEXtkhMEhd8toZxucQ7SEZijHo9NWCdkcg7vXy5HTx:4YBxgb+M4QzZibGWCdPAqtl

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

gienvxg.exegienvxg.exe

pid process

5088 gienvxg.exe
380 gienvxg.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5088	gienvxg.exe
380	gienvxg.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

gienvxg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gienvxg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	gienvxg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gienvxg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

gienvxg.exe

description pid process target process

PID 5088 set thread context of 380 5088 gienvxg.exe gienvxg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

gienvxg.exe

pid process

5088 gienvxg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gienvxg.exe

description pid process

Token: SeDebugPrivilege 380 gienvxg.exe

description	pid	process	target process
PID 5088 set thread context of 380	5088	gienvxg.exe	gienvxg.exe

pid	process
5088	gienvxg.exe

description	pid	process
Token: SeDebugPrivilege	380	gienvxg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exegienvxg.exe

description	pid	process	target process
PID 5040 wrote to memory of 5088	5040	9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe	gienvxg.exe
PID 5040 wrote to memory of 5088	5040	9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe	gienvxg.exe
PID 5040 wrote to memory of 5088	5040	9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe	gienvxg.exe
PID 5088 wrote to memory of 380	5088	gienvxg.exe	gienvxg.exe
PID 5088 wrote to memory of 380	5088	gienvxg.exe	gienvxg.exe
PID 5088 wrote to memory of 380	5088	gienvxg.exe	gienvxg.exe
PID 5088 wrote to memory of 380	5088	gienvxg.exe	gienvxg.exe

outlook_office_path 1 IoCs

Processes:

gienvxg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	gienvxg.exe

outlook_win_path 1 IoCs

Processes:

gienvxg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	gienvxg.exe

C:\Users\Admin\AppData\Local\Temp\9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe
"C:\Users\Admin\AppData\Local\Temp\9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\gienvxg.exe
"C:\Users\Admin\AppData\Local\Temp\gienvxg.exe" C:\Users\Admin\AppData\Local\Temp\msponzz.jb
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\gienvxg.exe
"C:\Users\Admin\AppData\Local\Temp\gienvxg.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gienvxg.exe

Filesize
61KB

MD5
5ca24e5249f5f3b7b4b1ac0fa98a3518

SHA1
3dad5b169b640e066aa6a55ec410eaf4f9e2e816

SHA256
9f778c23e331ad3c42fe3a74584af9282130c0407ebb265fa4e874c3a6ecb329

SHA512
c1ab95160d3eafb6129a10c776a362ffef11a55ca0a366e070932e29415e968c684f5a55f6c9665bd0e7ad68907d2c53474e5efb6bbeb13195e036e2db39fe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gienvxg.exe

Filesize
61KB

MD5
5ca24e5249f5f3b7b4b1ac0fa98a3518

SHA1
3dad5b169b640e066aa6a55ec410eaf4f9e2e816

SHA256
9f778c23e331ad3c42fe3a74584af9282130c0407ebb265fa4e874c3a6ecb329

SHA512
c1ab95160d3eafb6129a10c776a362ffef11a55ca0a366e070932e29415e968c684f5a55f6c9665bd0e7ad68907d2c53474e5efb6bbeb13195e036e2db39fe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gienvxg.exe

Filesize
61KB

MD5
5ca24e5249f5f3b7b4b1ac0fa98a3518

SHA1
3dad5b169b640e066aa6a55ec410eaf4f9e2e816

SHA256
9f778c23e331ad3c42fe3a74584af9282130c0407ebb265fa4e874c3a6ecb329

SHA512
c1ab95160d3eafb6129a10c776a362ffef11a55ca0a366e070932e29415e968c684f5a55f6c9665bd0e7ad68907d2c53474e5efb6bbeb13195e036e2db39fe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msponzz.jb

Filesize
5KB

MD5
809bbcac27fccdea8c785f6529aa935e

SHA1
3eadf2d7df2274d57861d7eefe45bd0d17f14fdd

SHA256
dbdd3c58aec252c8e9d5d7b9ffec04e04f34b433ade1c4eab4e7de3280ca2e0f

SHA512
dac2671e04f414a474daa68527e5a9a0cf9ba662d729fcd2198ffd2df5149230f5fb9390d8e4dfe6cb47f9ab14d8d350d53974b81b8303c3fdb3605c50874ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukvnizuz.j

Filesize
124KB

MD5
f96592fc08367d651cb50621ed7cebd0

SHA1
1d1638767372d591efe0428a7c6d4e9f3a3a147c

SHA256
9b437425ab01e857de53018ae2241e37cd35e121f5ec5a58cb3344dbf6d0cfad

SHA512
e531827518af623f192ab3935e7e1ddcd5531d6039054eb50e264be73f809d2a9553f400367411474246b39ed95cb76f6c1975999a8a80897ca72fdbd4319810

Download Submit
memory/380-137-0x0000000000000000-mapping.dmp

Download
memory/380-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/380-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5088-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads