lokibot | 6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb

General

Target

6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe
Size

217KB
MD5

2cdb13d0611023b8496cb5ba9a5f59db
SHA1

2a20f9f6dc9a9be0553a2614538e5fada5dfbd54
SHA256

6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb
SHA512

5a50076c0f1ab10bf38377460a80094f6e0d4ab846992a342d48de37daac66355bc5f3e22b81d2825744720716c4105ca29d5fb30157f40bbcf58af7985c5f28
SSDEEP

6144:vYa6Hg5j1ktqoHgDxmGIo5CoE8Js1LcdYUg:vYV2k3ADx3L5JNs1IdYUg

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

hccmhbg.exehccmhbg.exe

pid process

1208 hccmhbg.exe
2028 hccmhbg.exe

pid	process
1208	hccmhbg.exe
2028	hccmhbg.exe

Loads dropped DLL 3 IoCs

Processes:

6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exehccmhbg.exe

pid	process
2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe
2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe
1208	hccmhbg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hccmhbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hccmhbg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hccmhbg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hccmhbg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hccmhbg.exe

description pid process target process

PID 1208 set thread context of 2028 1208 hccmhbg.exe hccmhbg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hccmhbg.exe

pid process

1208 hccmhbg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hccmhbg.exe

description pid process

Token: SeDebugPrivilege 2028 hccmhbg.exe

description	pid	process	target process
PID 1208 set thread context of 2028	1208	hccmhbg.exe	hccmhbg.exe

pid	process
1208	hccmhbg.exe

description	pid	process
Token: SeDebugPrivilege	2028	hccmhbg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exehccmhbg.exe

description	pid	process	target process
PID 2032 wrote to memory of 1208	2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe	hccmhbg.exe
PID 2032 wrote to memory of 1208	2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe	hccmhbg.exe
PID 2032 wrote to memory of 1208	2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe	hccmhbg.exe
PID 2032 wrote to memory of 1208	2032	6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe	hccmhbg.exe
PID 1208 wrote to memory of 2028	1208	hccmhbg.exe	hccmhbg.exe
PID 1208 wrote to memory of 2028	1208	hccmhbg.exe	hccmhbg.exe
PID 1208 wrote to memory of 2028	1208	hccmhbg.exe	hccmhbg.exe
PID 1208 wrote to memory of 2028	1208	hccmhbg.exe	hccmhbg.exe
PID 1208 wrote to memory of 2028	1208	hccmhbg.exe	hccmhbg.exe

outlook_office_path 1 IoCs

Processes:

hccmhbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hccmhbg.exe

outlook_win_path 1 IoCs

Processes:

hccmhbg.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hccmhbg.exe

C:\Users\Admin\AppData\Local\Temp\6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe
"C:\Users\Admin\AppData\Local\Temp\6cbd76ecbb8d04b263e10fd679acae33201e9d468b0dbcfce80b343efaae20eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe
  "C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe" C:\Users\Admin\AppData\Local\Temp\xwaemdjpkej.f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe
    "C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugthivw.ofl

Filesize
124KB

MD5
d6d2889d9ee79ecd674a7e351a17794d

SHA1
a3eb20a55dfe557fd181a97428ebab7fe14797af

SHA256
16c33e991580f5079830e12339533c19f4dfaf47fd246a52935b38e77c328264

SHA512
3fb01f66e6bdcbe7f8476367befa291d862482ac34ed87d8dfcbe070978766b268d2514fd4ff6cf6cdc72e710817c20400940f8a914f46e1f0ffdf3f1dbf0872

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwaemdjpkej.f

Filesize
5KB

MD5
b4c88175f6c2001904af6c579598ee59

SHA1
b5740906c58cc6a131f4677a1595ebc576b4323c

SHA256
ce07c881f5d5376976fe286c9367f0172d5dbd2c5bc056b227640ef239e9ee91

SHA512
5c86e83c2cd7f3fc54b3b986378f9febe5f41761affd43ce6c74a9062484a868e73c29961eb2231f254ce84489e771a48fa21242e8975df0f0119a0411f318c6

Download Submit
\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
\Users\Admin\AppData\Local\Temp\hccmhbg.exe

Filesize
164KB

MD5
67a35e71cc811b3f4a99313efbc34ef1

SHA1
46f352cb1df19431bddacf9ec67d1d0b7511f9c6

SHA256
1a9157d72a42150ec7e6a82396b52e3475e6738bda98ae933693f947eb574dda

SHA512
46461c73acb1f8b858c95b2809191ad8c2e1e4ec0e249509c6d656d9d839c902301621101dda92b2d8335c5e21db909f1c8ade073ffe73320f7a576ecf80e3e0

Download Submit
memory/1208-57-0x0000000000000000-mapping.dmp

Download
memory/2028-64-0x00000000004139DE-mapping.dmp

Download
memory/2028-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2028-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2032-54-0x0000000075991000-0x0000000075993000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads