lokibot | 9fc3f3894d331d6d061cec04bb65b6c82b5d038de9532bd98e73c84c895e4618

General

Target

HSBC PAYMENTS.exe
Size

344KB
MD5

fcb423ac4af9801d133374c802e4a078
SHA1

a955322df787c658ae72eb9e4ea3c41117dfd346
SHA256

e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5
SHA512

75ba6a412e9cf78ff36f34655061d269d840b9ae9f804f9581a899d49a84e4fe371b3971173d9bee140385b53dd95007e8d209d1bbb96522b4d99930766fd2f8
SSDEEP

6144:8Ya6O4eRhQ9sVnQxU1vgT8m4ayccQrV/aXGGaoiNv5ZlG1arcEv7fCJ:8Y1eRh3nWUJgTsl5QrMWJ1RZvrc4fCJ

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

rpsdc.exerpsdc.exe

pid process

956 rpsdc.exe
568 rpsdc.exe
Loads dropped DLL 2 IoCs

Processes:

HSBC PAYMENTS.exerpsdc.exe

pid process

1996 HSBC PAYMENTS.exe
956 rpsdc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
956	rpsdc.exe
568	rpsdc.exe

pid	process
1996	HSBC PAYMENTS.exe
956	rpsdc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rpsdc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rpsdc.exe

description pid process target process

PID 956 set thread context of 568 956 rpsdc.exe rpsdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rpsdc.exe

pid process

956 rpsdc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rpsdc.exe

description pid process

Token: SeDebugPrivilege 568 rpsdc.exe

description	pid	process	target process
PID 956 set thread context of 568	956	rpsdc.exe	rpsdc.exe

pid	process
956	rpsdc.exe

description	pid	process
Token: SeDebugPrivilege	568	rpsdc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

HSBC PAYMENTS.exerpsdc.exe

description	pid	process	target process
PID 1996 wrote to memory of 956	1996	HSBC PAYMENTS.exe	rpsdc.exe
PID 1996 wrote to memory of 956	1996	HSBC PAYMENTS.exe	rpsdc.exe
PID 1996 wrote to memory of 956	1996	HSBC PAYMENTS.exe	rpsdc.exe
PID 1996 wrote to memory of 956	1996	HSBC PAYMENTS.exe	rpsdc.exe
PID 956 wrote to memory of 568	956	rpsdc.exe	rpsdc.exe
PID 956 wrote to memory of 568	956	rpsdc.exe	rpsdc.exe
PID 956 wrote to memory of 568	956	rpsdc.exe	rpsdc.exe
PID 956 wrote to memory of 568	956	rpsdc.exe	rpsdc.exe
PID 956 wrote to memory of 568	956	rpsdc.exe	rpsdc.exe

outlook_office_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe

outlook_win_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe

C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENTS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe" C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddsju.hoc
Filesize
124KB

MD5
45026d81848c3db988183bdcd62828b9

SHA1
155a459e068c7882e9fd192013d6afb0ea155786

SHA256
b32e55107e8dfbb428607102ec40fc8123ed3bbc4896cf548495defea84e36be

SHA512
2377b36e464f4e66563933a737879baa208120c689a234028e12fe70a94315977f3a24fda0dd28274f742f7d21504c1208bef1545ef601b0226da5aa0a6fe50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga
Filesize
5KB

MD5
ce42256ca647574eafc90df151d2ff2b

SHA1
ec0163109e94bb2f454d73379a9e18a3bf899584

SHA256
c85f62bf397dc268c49f99012a6e68212fc33a4f887991662cd6e75276f9ea51

SHA512
427ca9ea0f34ce64b76bdd3a7622153dd20a45732616f783ae02669d872c874d761360315f76a83a1e8528301b5559147afe97f1f2b51bad589008b680b66696

Download Submit
\Users\Admin\AppData\Local\Temp\rpsdc.exe
Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
\Users\Admin\AppData\Local\Temp\rpsdc.exe
Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
memory/568-63-0x00000000004139DE-mapping.dmp

Download
memory/568-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/568-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads