lokibot | a33eccf055f2f191059c156d868aaf2cf5f1c451587b23e41bfcd77f5b0eacc0

General

Target

86ecf018b7711d3a453ceeca71cdd7fe.exe
Size

184KB
MD5

86ecf018b7711d3a453ceeca71cdd7fe
SHA1

343a3005c6729f4ceb2dc3c9b0a44aa317d0a99a
SHA256

a33eccf055f2f191059c156d868aaf2cf5f1c451587b23e41bfcd77f5b0eacc0
SHA512

3e070d28644fc03364c8a419a6c618a069c069a3fa445e96b7d09faa9b9139456a4f42027e55fb9445d504e71a31eecde798728181f9c511ab46eb68c487a14a
SSDEEP

3072:HfY/TU9fE9PEtuFbpwhkfFRpS5FKR2AYs5wuoe9Zn/t0tYa2eC+P/TNPJWq94Jnp:/Ya6DpCmhS02Ls+49Zn/StYGCE/TKqqT

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

yzsdziy.exeyzsdziy.exe

pid process

1788 yzsdziy.exe
2036 yzsdziy.exe
Loads dropped DLL 3 IoCs

Processes:

86ecf018b7711d3a453ceeca71cdd7fe.exeyzsdziy.exe

pid process

1412 86ecf018b7711d3a453ceeca71cdd7fe.exe
1412 86ecf018b7711d3a453ceeca71cdd7fe.exe
1788 yzsdziy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1788	yzsdziy.exe
2036	yzsdziy.exe

pid	process
1412	86ecf018b7711d3a453ceeca71cdd7fe.exe
1412	86ecf018b7711d3a453ceeca71cdd7fe.exe
1788	yzsdziy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

yzsdziy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	yzsdziy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	yzsdziy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	yzsdziy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

yzsdziy.exe

description pid process target process

PID 1788 set thread context of 2036 1788 yzsdziy.exe yzsdziy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

yzsdziy.exe

pid process

1788 yzsdziy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

yzsdziy.exe

description pid process

Token: SeDebugPrivilege 2036 yzsdziy.exe

description	pid	process	target process
PID 1788 set thread context of 2036	1788	yzsdziy.exe	yzsdziy.exe

pid	process
1788	yzsdziy.exe

description	pid	process
Token: SeDebugPrivilege	2036	yzsdziy.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

86ecf018b7711d3a453ceeca71cdd7fe.exeyzsdziy.exe

description	pid	process	target process
PID 1412 wrote to memory of 1788	1412	86ecf018b7711d3a453ceeca71cdd7fe.exe	yzsdziy.exe
PID 1412 wrote to memory of 1788	1412	86ecf018b7711d3a453ceeca71cdd7fe.exe	yzsdziy.exe
PID 1412 wrote to memory of 1788	1412	86ecf018b7711d3a453ceeca71cdd7fe.exe	yzsdziy.exe
PID 1412 wrote to memory of 1788	1412	86ecf018b7711d3a453ceeca71cdd7fe.exe	yzsdziy.exe
PID 1788 wrote to memory of 2036	1788	yzsdziy.exe	yzsdziy.exe
PID 1788 wrote to memory of 2036	1788	yzsdziy.exe	yzsdziy.exe
PID 1788 wrote to memory of 2036	1788	yzsdziy.exe	yzsdziy.exe
PID 1788 wrote to memory of 2036	1788	yzsdziy.exe	yzsdziy.exe
PID 1788 wrote to memory of 2036	1788	yzsdziy.exe	yzsdziy.exe

outlook_office_path 1 IoCs

Processes:

yzsdziy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	yzsdziy.exe

outlook_win_path 1 IoCs

Processes:

yzsdziy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	yzsdziy.exe

C:\Users\Admin\AppData\Local\Temp\86ecf018b7711d3a453ceeca71cdd7fe.exe
"C:\Users\Admin\AppData\Local\Temp\86ecf018b7711d3a453ceeca71cdd7fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe
"C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe" C:\Users\Admin\AppData\Local\Temp\calwsae.bzj
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe
"C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\beyude.dlv

Filesize
124KB

MD5
5c282ccbc7cfb140cec07a727bbca475

SHA1
7930e8f83850616a2e5f4e6637e19db46226011d

SHA256
e65b037430d8a664c3d3f0bb2dd1de221de3bebad7e24757e76e1b87742c36db

SHA512
817e8096708e0b5ed9ba056f6688091d94b15063bd7e3d7e8840bc63864d71ae5b4b520ad6bcbf1ef68bcd17dcbdbe2c17c218c5b034132a2de8c29b21a6971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\calwsae.bzj

Filesize
5KB

MD5
e2d3ead1eb5c2839621ac9e283880d51

SHA1
ae53d25bccec18f954eff1f383f423f07b09c830

SHA256
dd91aec7103fe04ee2617ccb22fa7d6603c8d0852dee91bbe770179bee8cc896

SHA512
fe60a40010a25420fd9949ac00a9d2ad556f386276ed8430d9a317d515da7d824dd200bb0bdff5b3bfc7fd4eebebeb3bad739faec32d447b49c5cd34cdf4f362

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
\Users\Admin\AppData\Local\Temp\yzsdziy.exe

Filesize
83KB

MD5
0c0f8039a120070b0ad6eb3688e2a89c

SHA1
ae7ca6dce546b611b18f2fad80a248e7b21e796c

SHA256
68a692e6b53e883b1dfb03c2fe6ad816b9b53945b7293e82e7e04121699f7559

SHA512
44ec9b5bb929fdaff3d4d28865729d70a64cafcff74a9b7e3d17616efb27172fb883e7e428f11f9f0c5f6661353c4f82b887b59e40cf2d607d13387c2e70f86e

Download Submit
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1788-57-0x0000000000000000-mapping.dmp

Download
memory/2036-64-0x00000000004139DE-mapping.dmp

Download
memory/2036-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2036-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads