lokibot | a1c9498de481ec4a7eeaf021a28ae3a9a0b23b3abaab89dfd29a7c85aa871f87

General

Target

34535.exe
Size

200KB
MD5

0f4f9161105a35dd3e7d49508975a226
SHA1

d432f59177bf1e80837accc93810c0b7218b99ea
SHA256

a1c9498de481ec4a7eeaf021a28ae3a9a0b23b3abaab89dfd29a7c85aa871f87
SHA512

9b1a679f20d0e1b58b0ab12cf81304eee3702ac54febeb0d7705b6bc38d726037941e2fdf388f3aaaf849fb11474d085dca6de8db6567577a68f61a7e87316f6
SSDEEP

6144:vYa6gDtFIRhUlFHrFRzTpxOTMXxAz0oQpH4r:vYuDtEyxrVwTfwzFe

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/jt/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1940	aumme.exe
1476	aumme.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	34535.exe
1940	aumme.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aumme.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aumme.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aumme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1476	1940	aumme.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1940	aumme.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	aumme.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 1940	1952	34535.exe	26
PID 1952 wrote to memory of 1940	1952	34535.exe	26
PID 1952 wrote to memory of 1940	1952	34535.exe	26
PID 1952 wrote to memory of 1940	1952	34535.exe	26
PID 1940 wrote to memory of 1476	1940	aumme.exe	27
PID 1940 wrote to memory of 1476	1940	aumme.exe	27
PID 1940 wrote to memory of 1476	1940	aumme.exe	27
PID 1940 wrote to memory of 1476	1940	aumme.exe	27
PID 1940 wrote to memory of 1476	1940	aumme.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aumme.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aumme.exe

C:\Users\Admin\AppData\Local\Temp\34535.exe
"C:\Users\Admin\AppData\Local\Temp\34535.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\aumme.exe
  "C:\Users\Admin\AppData\Local\Temp\aumme.exe" C:\Users\Admin\AppData\Local\Temp\actkmg.mx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\aumme.exe
    "C:\Users\Admin\AppData\Local\Temp\aumme.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\actkmg.mx

Filesize
6KB

MD5
a3cbb3799659833c85800fa75070d9f5

SHA1
0d022d5b9a17beade7b6a8157e9841a01451dae2

SHA256
c7e52a7504c13b9a41414323c608d9f9de6e8bfcb4c91bc8e4100184360d5158

SHA512
bd213c866d0e52d53396287d7454c0d12b709eafa9c704f9d53b97d2095ea538bb4e508867a6a14cd6287a93d96369e8401012b1f78da9f7e652201e7284b585

Download Submit
C:\Users\Admin\AppData\Local\Temp\aumme.exe

Filesize
112KB

MD5
179d493c38c31de4894d41123944640c

SHA1
a3e3efe961e5a2e3d1ed2d9eaa22eecd78c3428d

SHA256
98d284a8916557f6772f0b84b1e1fc3413bfd2e7af66350cb8bf5f08dd2f0e86

SHA512
d952b994040edc8aaa5f3c977f752510cccd53f520e822b31bf0e59c1fe5c785d54837411c4cce69122e07f0cc8c4fd5748dd3b3690d4aad1ba229d66b501f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aumme.exe

Filesize
112KB

MD5
179d493c38c31de4894d41123944640c

SHA1
a3e3efe961e5a2e3d1ed2d9eaa22eecd78c3428d

SHA256
98d284a8916557f6772f0b84b1e1fc3413bfd2e7af66350cb8bf5f08dd2f0e86

SHA512
d952b994040edc8aaa5f3c977f752510cccd53f520e822b31bf0e59c1fe5c785d54837411c4cce69122e07f0cc8c4fd5748dd3b3690d4aad1ba229d66b501f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aumme.exe

Filesize
112KB

MD5
179d493c38c31de4894d41123944640c

SHA1
a3e3efe961e5a2e3d1ed2d9eaa22eecd78c3428d

SHA256
98d284a8916557f6772f0b84b1e1fc3413bfd2e7af66350cb8bf5f08dd2f0e86

SHA512
d952b994040edc8aaa5f3c977f752510cccd53f520e822b31bf0e59c1fe5c785d54837411c4cce69122e07f0cc8c4fd5748dd3b3690d4aad1ba229d66b501f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziwqfbodfn.yc

Filesize
124KB

MD5
aaaef1afef41ac9fc68e8ce7adebb0c9

SHA1
b974f9901a3f9247a219f809ecef21a15904a6ff

SHA256
62cee7a73141447f7158c7c2aa061c4c4d94d3f5d208ae24f6088d012cd25b3d

SHA512
1da0b2ca2ee5b18d6d52545dde3e65dbf68090292dd65ddd322d0333e1de80e86959cd3be7dfdb46e871ab84088f99c9487ebfd40de6a9be9b044148c89fed69

Download Submit
\Users\Admin\AppData\Local\Temp\aumme.exe

Filesize
112KB

MD5
179d493c38c31de4894d41123944640c

SHA1
a3e3efe961e5a2e3d1ed2d9eaa22eecd78c3428d

SHA256
98d284a8916557f6772f0b84b1e1fc3413bfd2e7af66350cb8bf5f08dd2f0e86

SHA512
d952b994040edc8aaa5f3c977f752510cccd53f520e822b31bf0e59c1fe5c785d54837411c4cce69122e07f0cc8c4fd5748dd3b3690d4aad1ba229d66b501f6a

Download Submit
\Users\Admin\AppData\Local\Temp\aumme.exe

Filesize
112KB

MD5
179d493c38c31de4894d41123944640c

SHA1
a3e3efe961e5a2e3d1ed2d9eaa22eecd78c3428d

SHA256
98d284a8916557f6772f0b84b1e1fc3413bfd2e7af66350cb8bf5f08dd2f0e86

SHA512
d952b994040edc8aaa5f3c977f752510cccd53f520e822b31bf0e59c1fe5c785d54837411c4cce69122e07f0cc8c4fd5748dd3b3690d4aad1ba229d66b501f6a

Download Submit
memory/1476-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1476-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1952-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing