lokibot | 1d1e73b6700577d4bbbdd646e0e91a8e2d884c612b0fad5435fec7de054006ca

General

Target

82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe
Size

182KB
MD5

3c201fc4355b967aefaae295cc6fa701
SHA1

4ad41361158e353f97245fab6cc4a428ecb3412b
SHA256

82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6
SHA512

074ee95baf1ac1f655c3cdfa05f01d484f09db33c3b833b286607ef4190ed5af654f124e150a10c3a4a26f198ee7da06b2d991b6112b55c37c10554e6526bea1
SSDEEP

3072:HfY/TU9fE9PEtuVbaQ0J5VhItJ/g30rXufhkiz1mWGf3VIYydK0QPWWBT3QAU49p:/Ya6r10JJOY0Lu1mWipy0PLHFp

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

hfmvin.exehfmvin.exe

pid process

3208 hfmvin.exe
2388 hfmvin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3208	hfmvin.exe
2388	hfmvin.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hfmvin.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hfmvin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hfmvin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hfmvin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hfmvin.exe

description pid process target process

PID 3208 set thread context of 2388 3208 hfmvin.exe hfmvin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hfmvin.exe

pid process

3208 hfmvin.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hfmvin.exe

description pid process

Token: SeDebugPrivilege 2388 hfmvin.exe

description	pid	process	target process
PID 3208 set thread context of 2388	3208	hfmvin.exe	hfmvin.exe

pid	process
3208	hfmvin.exe

description	pid	process
Token: SeDebugPrivilege	2388	hfmvin.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exehfmvin.exe

description	pid	process	target process
PID 4712 wrote to memory of 3208	4712	82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe	hfmvin.exe
PID 4712 wrote to memory of 3208	4712	82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe	hfmvin.exe
PID 4712 wrote to memory of 3208	4712	82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe	hfmvin.exe
PID 3208 wrote to memory of 2388	3208	hfmvin.exe	hfmvin.exe
PID 3208 wrote to memory of 2388	3208	hfmvin.exe	hfmvin.exe
PID 3208 wrote to memory of 2388	3208	hfmvin.exe	hfmvin.exe
PID 3208 wrote to memory of 2388	3208	hfmvin.exe	hfmvin.exe

outlook_office_path 1 IoCs

Processes:

hfmvin.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hfmvin.exe

outlook_win_path 1 IoCs

Processes:

hfmvin.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hfmvin.exe

C:\Users\Admin\AppData\Local\Temp\82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe
"C:\Users\Admin\AppData\Local\Temp\82539bbc4b89e4cb63f920ac8d2a59f48237688830da77c2aa3da81b58fe5dc6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\hfmvin.exe
  "C:\Users\Admin\AppData\Local\Temp\hfmvin.exe" C:\Users\Admin\AppData\Local\Temp\zdyquvojou.slv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\hfmvin.exe
    "C:\Users\Admin\AppData\Local\Temp\hfmvin.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hfmvin.exe

Filesize
79KB

MD5
1569e2caf69f69a661e4014b56bd41f2

SHA1
502bbadd27b4adac65b1d2f89a6bd66243d8355d

SHA256
e5b821c028ae135e40ec3e9d7400ef514131b8fff75767fb619896d3acef8f04

SHA512
1c23c1c7e288b9046ec3fc342f81c5cdb54bdfac34b70ce30a9cef27472d11f6cc1886f0033fc954da174651365100c6a17c7aca9e69fdc8e4de778ded6da6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfmvin.exe

Filesize
79KB

MD5
1569e2caf69f69a661e4014b56bd41f2

SHA1
502bbadd27b4adac65b1d2f89a6bd66243d8355d

SHA256
e5b821c028ae135e40ec3e9d7400ef514131b8fff75767fb619896d3acef8f04

SHA512
1c23c1c7e288b9046ec3fc342f81c5cdb54bdfac34b70ce30a9cef27472d11f6cc1886f0033fc954da174651365100c6a17c7aca9e69fdc8e4de778ded6da6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfmvin.exe

Filesize
79KB

MD5
1569e2caf69f69a661e4014b56bd41f2

SHA1
502bbadd27b4adac65b1d2f89a6bd66243d8355d

SHA256
e5b821c028ae135e40ec3e9d7400ef514131b8fff75767fb619896d3acef8f04

SHA512
1c23c1c7e288b9046ec3fc342f81c5cdb54bdfac34b70ce30a9cef27472d11f6cc1886f0033fc954da174651365100c6a17c7aca9e69fdc8e4de778ded6da6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kliasrh.oi

Filesize
124KB

MD5
dece2960f5f43f6bb2708f5477de37b2

SHA1
83eda7f8e8add4d690014d8d39f0cac6113c941d

SHA256
1c8a98b4d2b5fac5c844cf9de4b5c083d5699ebf7e1fd50b0c63562076c461db

SHA512
3d63f4c711b0d56e460c9a85c5c300a20dd66c69f88e0ec0fe378f13b582eb8efeadaf57f9fc396be3886468ba1ce48e25e6381432138ffb0638d5f622352e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdyquvojou.slv

Filesize
5KB

MD5
ca798aba91e0b1a9b2940c395562a34c

SHA1
14bd11f6f57efb1b417608f43b1d7d4a9397dbcc

SHA256
7d01de0741445c8caccff77a58c667298d2e291f391dfbda2931f265f08e7a83

SHA512
0018b934f0fc36cc52556d1254512fc3b345ebcd4eb66964850eea76d0e676e4d87bdb53bbcf90d04c9bf5b4c9c586e6fd012ebe3f9f8c3821738fdaa6ed9732

Download Submit
memory/2388-137-0x0000000000000000-mapping.dmp

Download
memory/2388-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2388-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3208-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads