lokibot | f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6

General

Target

f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe
Size

149KB
MD5

1fe16c903136a091bf235245ee09b9d1
SHA1

83ef584729558e76d20491695acbb773af6f2b47
SHA256

f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6
SHA512

c541ce43144deed3fd381bd760b1ce349a89b00b397e8056d06bbc98c7c733df99ebf42eb6c6c287c4fef45d419597b750092ec5e0a9d319852e69019f2c7706
SSDEEP

3072:rf1BDZ0kVB67Duw9AMcTbsxhicKW5QO8ND7kN8JBpdL0jIhz2bqSxbz5H/Tjju4S:r9X0Gfs+DOg0YdLAIllc/TjjuoKeXmd

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://becharnise.ir/fb3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

h82hxt7brctb.exeh82hxt7brctb.exe

pid process

1636 h82hxt7brctb.exe
4892 h82hxt7brctb.exe
Loads dropped DLL 1 IoCs

Processes:

h82hxt7brctb.exe

pid process

1636 h82hxt7brctb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

h82hxt7brctb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	h82hxt7brctb.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	h82hxt7brctb.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	h82hxt7brctb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

h82hxt7brctb.exe

description pid process target process

PID 1636 set thread context of 4892 1636 h82hxt7brctb.exe h82hxt7brctb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1636 set thread context of 4892	1636	h82hxt7brctb.exe	h82hxt7brctb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

h82hxt7brctb.exe

pid	process
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe
1636	h82hxt7brctb.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

h82hxt7brctb.exe

pid process

1636 h82hxt7brctb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

h82hxt7brctb.exe

description pid process

Token: SeDebugPrivilege 4892 h82hxt7brctb.exe

description	pid	process
Token: SeDebugPrivilege	4892	h82hxt7brctb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exeh82hxt7brctb.exe

description	pid	process	target process
PID 1960 wrote to memory of 1636	1960	f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe	h82hxt7brctb.exe
PID 1960 wrote to memory of 1636	1960	f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe	h82hxt7brctb.exe
PID 1960 wrote to memory of 1636	1960	f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe	h82hxt7brctb.exe
PID 1636 wrote to memory of 4892	1636	h82hxt7brctb.exe	h82hxt7brctb.exe
PID 1636 wrote to memory of 4892	1636	h82hxt7brctb.exe	h82hxt7brctb.exe
PID 1636 wrote to memory of 4892	1636	h82hxt7brctb.exe	h82hxt7brctb.exe
PID 1636 wrote to memory of 4892	1636	h82hxt7brctb.exe	h82hxt7brctb.exe

outlook_office_path 1 IoCs

Processes:

h82hxt7brctb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	h82hxt7brctb.exe

outlook_win_path 1 IoCs

Processes:

h82hxt7brctb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	h82hxt7brctb.exe

C:\Users\Admin\AppData\Local\Temp\f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe
"C:\Users\Admin\AppData\Local\Temp\f52f70447cbebf182eeaa5a0a48ee305c59e00307b69a7eae7ea6517c0fb5bb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe
"C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe" "C:\Users\Admin\AppData\Local\Temp\j6pfhd01q.dll" "C:\Users\Admin\AppData\Local\Temp\nrxywyxq.zh"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe
"C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe" "C:\Users\Admin\AppData\Local\Temp\j6pfhd01q.dll" "C:\Users\Admin\AppData\Local\Temp\nrxywyxq.zh"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe

Filesize
3KB

MD5
2632c0058c899f8a94077b5abab7cc96

SHA1
2b2e620c7964d27828f903ebe4cf9359390a5f06

SHA256
10241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e

SHA512
a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe

Filesize
3KB

MD5
2632c0058c899f8a94077b5abab7cc96

SHA1
2b2e620c7964d27828f903ebe4cf9359390a5f06

SHA256
10241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e

SHA512
a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h82hxt7brctb.exe

Filesize
3KB

MD5
2632c0058c899f8a94077b5abab7cc96

SHA1
2b2e620c7964d27828f903ebe4cf9359390a5f06

SHA256
10241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e

SHA512
a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6pfhd01q.dll

Filesize
11KB

MD5
6692872153f100ab03f1e6214b899e55

SHA1
9ef30be974d6fd455689c7d4c75ab8b300da912f

SHA256
9266cd918f54bf5ca4100c5018071c1d487df27c4b3c4580ae7a94365e5e5bba

SHA512
b119519c5b38c7c053bb38f61228b16951ac43b3fd0577f6420e91070b6aec6372dcb86e68b88d41a86e19ad189d66f8176184098cf47cfef80800f108c7b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6pfhd01q.dll

Filesize
11KB

MD5
6692872153f100ab03f1e6214b899e55

SHA1
9ef30be974d6fd455689c7d4c75ab8b300da912f

SHA256
9266cd918f54bf5ca4100c5018071c1d487df27c4b3c4580ae7a94365e5e5bba

SHA512
b119519c5b38c7c053bb38f61228b16951ac43b3fd0577f6420e91070b6aec6372dcb86e68b88d41a86e19ad189d66f8176184098cf47cfef80800f108c7b255

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrxywyxq.zh

Filesize
104KB

MD5
9bdf07f1f721fcc83109e2b22a309bf7

SHA1
08dd9630a5b35f2c71993b0fbc07cc4ba67d6dda

SHA256
617c34ebc612586ba393575296dacda97bf2d6c4eff6f6689e931ff4de2db561

SHA512
5c2beb05b7121ec729f9d5ededfec7d7358d37e96fec4a7dc9bc102c8d6f6dd635fb43ebb4171f677070344cabc881d99f0fb0eb880c74cd536c8e8d213f3fcf

Download Submit
memory/1636-132-0x0000000000000000-mapping.dmp

Download
memory/1636-140-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4892-138-0x0000000000000000-mapping.dmp

Download
memory/4892-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4892-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads