lokibot | 8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5

General

Target

8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe
Size

183KB
MD5

a62b834fd42367f384b1a6a7250a3e9f
SHA1

0e94fe518c1aaefda7b451640e83dacb850acf24
SHA256

8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5
SHA512

f041f541e8684229024a57f2244ac4f644a94134bf9c45dcbd5938b8a3a55e19191170702bd9b56c0f5dd4e7908efdcba499839c4a50bd6a116d3fcd9507578f
SSDEEP

3072:HfY/TU9fE9PEtuIbp9SrK0uwo9zVjotEIg02SdJPW0Ib1OeaLvIqR3IaoLhmOW5d:/Ya6Mp9DLDzVjJn02SLWbp4LI4MhmTDl

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/davidhill/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

lxzkrytqn.exelxzkrytqn.exe

pid process

808 lxzkrytqn.exe
2040 lxzkrytqn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
808	lxzkrytqn.exe
2040	lxzkrytqn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

lxzkrytqn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lxzkrytqn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	lxzkrytqn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lxzkrytqn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lxzkrytqn.exe

description pid process target process

PID 808 set thread context of 2040 808 lxzkrytqn.exe lxzkrytqn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lxzkrytqn.exe

pid process

808 lxzkrytqn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lxzkrytqn.exe

description pid process

Token: SeDebugPrivilege 2040 lxzkrytqn.exe

description	pid	process	target process
PID 808 set thread context of 2040	808	lxzkrytqn.exe	lxzkrytqn.exe

pid	process
808	lxzkrytqn.exe

description	pid	process
Token: SeDebugPrivilege	2040	lxzkrytqn.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exelxzkrytqn.exe

description	pid	process	target process
PID 3440 wrote to memory of 808	3440	8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe	lxzkrytqn.exe
PID 3440 wrote to memory of 808	3440	8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe	lxzkrytqn.exe
PID 3440 wrote to memory of 808	3440	8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe	lxzkrytqn.exe
PID 808 wrote to memory of 2040	808	lxzkrytqn.exe	lxzkrytqn.exe
PID 808 wrote to memory of 2040	808	lxzkrytqn.exe	lxzkrytqn.exe
PID 808 wrote to memory of 2040	808	lxzkrytqn.exe	lxzkrytqn.exe
PID 808 wrote to memory of 2040	808	lxzkrytqn.exe	lxzkrytqn.exe

outlook_office_path 1 IoCs

Processes:

lxzkrytqn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lxzkrytqn.exe

outlook_win_path 1 IoCs

Processes:

lxzkrytqn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lxzkrytqn.exe

C:\Users\Admin\AppData\Local\Temp\8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe
"C:\Users\Admin\AppData\Local\Temp\8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
  "C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe" C:\Users\Admin\AppData\Local\Temp\zyman.on
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe
    "C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\doczghyo.e

Filesize
124KB

MD5
109134b95673bdfb8f2f5872f0e35fdf

SHA1
940976e8e0372afe7b9776fb476ca2906fd8485d

SHA256
94cbffb1fc4ec1a2713014ffb1be6ce7e47094635607f3b9dd98e8c23c146599

SHA512
9ffdbb696eb03f9c5003c70b9cff759fd1a5ad72bb81367611414135e234d626f390e6d3ba5fa1a3bc68fc97c4db5347339653970d7599a9301c0e7db722fbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe

Filesize
79KB

MD5
cb792b162cc913c4d11aa938b4a58178

SHA1
5268fce44b48760b88dbf0838eb3f720cf9e158d

SHA256
ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

SHA512
c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe

Filesize
79KB

MD5
cb792b162cc913c4d11aa938b4a58178

SHA1
5268fce44b48760b88dbf0838eb3f720cf9e158d

SHA256
ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

SHA512
c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxzkrytqn.exe

Filesize
79KB

MD5
cb792b162cc913c4d11aa938b4a58178

SHA1
5268fce44b48760b88dbf0838eb3f720cf9e158d

SHA256
ed155f1847f69fc5cb2784bf91edeffd4e8f6b24294dd2a129f977bdb403feb2

SHA512
c2e1cb00a7d093519c109eb22f660db4c3ab459694aefc0d781a9588ff6ebd99270f86f6a7a5b6e3be172e15c082d4a210f04efade48ef915e5d0376cb298da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyman.on

Filesize
5KB

MD5
98773c6af0b5db8dc18e89967f9022f7

SHA1
f0efc1631706e1d7616f1e85bac79202fcd64ba9

SHA256
ae2df3b8f0ecd6d614014d043b8b6286791b6baf693b95d2ae7ce48d148cab33

SHA512
990077a190a05162680701997260cda598311d2caa96164a8a40e4f9c6eb49c92fe3c5b04857c13f8450d0e3892b7f5d708a024da98b218e987ce083656d8d33

Download Submit
memory/808-132-0x0000000000000000-mapping.dmp

Download
memory/2040-137-0x0000000000000000-mapping.dmp

Download
memory/2040-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2040-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads