lokibot | cc42d9dd41c3cbb5fe3b00ea058b154e35d2bf3fc5308257a40ab1626d784d4c

General

Target

Withholdin TAX GOSUBKK80262088.exe
Size

701KB
MD5

a48965da2c57db3d3cd6f9177e8ecbfa
SHA1

a67559012be15fd65de4cb81094cc7606d37f762
SHA256

cc42d9dd41c3cbb5fe3b00ea058b154e35d2bf3fc5308257a40ab1626d784d4c
SHA512

c3b87df13f155288f5ab5779f133d53e61171eb4bb79714d55df7daad4e9e99652d59271c98fa604cc7ef9554286a6bdd9420f9c7043cb9c9ef68469556e212a
SSDEEP

12288:VxEOxdueS0pn2iNUdrF6GssqLr2uLqV9i5zkYk2UX+oNa:VxEO7zn1GFF6GstLCuUk5CO

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.164/sharon/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Withholdin TAX GOSUBKK80262088.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Withholdin TAX GOSUBKK80262088.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Withholdin TAX GOSUBKK80262088.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
860	Withholdin TAX GOSUBKK80262088.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	Withholdin TAX GOSUBKK80262088.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28
PID 1920 wrote to memory of 860	1920	Withholdin TAX GOSUBKK80262088.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Withholdin TAX GOSUBKK80262088.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Withholdin TAX GOSUBKK80262088.exe

C:\Users\Admin\AppData\Local\Temp\Withholdin TAX GOSUBKK80262088.exe
"C:\Users\Admin\AppData\Local\Temp\Withholdin TAX GOSUBKK80262088.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\Withholdin TAX GOSUBKK80262088.exe
  "C:\Users\Admin\AppData\Local\Temp\Withholdin TAX GOSUBKK80262088.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1920-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1920-59-0x0000000000B50000-0x0000000000B72000-memory.dmp

Filesize
136KB

Download
memory/1920-54-0x0000000000D70000-0x0000000000E26000-memory.dmp

Filesize
728KB

Download
memory/1920-58-0x0000000004D30000-0x0000000004D8A000-memory.dmp

Filesize
360KB

Download
memory/1920-57-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1920-56-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing