lokibot | 7932cfa1b2b758cf2237b0630bf13432eb418cecdc01f6fb0003d1e655d02ef5

General

Target

tmp.exe
Size

524KB
MD5

80be92f8539b85927dfc997b0e39aace
SHA1

f3f36334fada958a0db24d3b8f1563d38a3cf463
SHA256

7932cfa1b2b758cf2237b0630bf13432eb418cecdc01f6fb0003d1e655d02ef5
SHA512

dac125a16f0feea31335d4ad4e480be0856df8ce33dd942d55140a6cac1fa2d4a81c5494584e016bd2dcd0447ccc7b83b8270a3c2704df212cb3b51763a612e1
SSDEEP

6144:/Ya6qB7/w2E+80TTL/PtbdWQZbiwopi9+Y9RchQPll89Hc87cSsr9EMOoNmCQE+2:/Y8Z780TTTPzWQNCiVI3H3PsiYQEFF

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

megcj.exemegcj.exe

pid process

2508 megcj.exe
4932 megcj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2508	megcj.exe
4932	megcj.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

megcj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	megcj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	megcj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	megcj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

megcj.exe

description pid process target process

PID 2508 set thread context of 4932 2508 megcj.exe megcj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

megcj.exe

pid process

2508 megcj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

megcj.exe

description pid process

Token: SeDebugPrivilege 4932 megcj.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

megcj.exe

pid process

2508 megcj.exe
2508 megcj.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

megcj.exe

pid process

2508 megcj.exe
2508 megcj.exe

description	pid	process	target process
PID 2508 set thread context of 4932	2508	megcj.exe	megcj.exe

pid	process
2508	megcj.exe

description	pid	process
Token: SeDebugPrivilege	4932	megcj.exe

pid	process
2508	megcj.exe
2508	megcj.exe

pid	process
2508	megcj.exe
2508	megcj.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

tmp.exemegcj.exe

description	pid	process	target process
PID 4824 wrote to memory of 2508	4824	tmp.exe	megcj.exe
PID 4824 wrote to memory of 2508	4824	tmp.exe	megcj.exe
PID 4824 wrote to memory of 2508	4824	tmp.exe	megcj.exe
PID 2508 wrote to memory of 4932	2508	megcj.exe	megcj.exe
PID 2508 wrote to memory of 4932	2508	megcj.exe	megcj.exe
PID 2508 wrote to memory of 4932	2508	megcj.exe	megcj.exe
PID 2508 wrote to memory of 4932	2508	megcj.exe	megcj.exe

outlook_office_path 1 IoCs

Processes:

megcj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	megcj.exe

outlook_win_path 1 IoCs

Processes:

megcj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	megcj.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\megcj.exe
"C:\Users\Admin\AppData\Local\Temp\megcj.exe" "C:\Users\Admin\AppData\Local\Temp\shyroimxe.au3"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\megcj.exe
"C:\Users\Admin\AppData\Local\Temp\megcj.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lzupv.si
Filesize
124KB

MD5
a75115094c86e8de320fc433ad3b24c8

SHA1
dcfdc727b2a8b53cc37185f01f6cc85409b567e2

SHA256
908ba6d141b8a836feefecd933209ccf11cce300e498375a5b3180980349bb80

SHA512
26e2c287db30802a710c446854c1d6371f069909aafb7220800126c580146545ae47af81439537f43ddc925fc46d810f29864fb32072ccb91f82bbe5b91a1727

Download Submit
C:\Users\Admin\AppData\Local\Temp\megcj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\megcj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\megcj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyzcp.cc
Filesize
51KB

MD5
5dd9bf8e0b2a234049e898a53f927774

SHA1
690d9ec832c8086ab63830afa5da02960f8527e2

SHA256
f57f28e85831fe2e747bcdc55f955bdfd6d3a920eb77c48ef0259d5adda831fa

SHA512
8ac16c34a7cde0a906e7735f7b4f588d9bb35f2a5317727398a5d4140bcec73296a149489e2fdb859be734d9b353d76d9b3ca2f98bf17a481df74e6a1ed2c13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shyroimxe.au3
Filesize
3KB

MD5
74568f8f910543d0f826d96bbca988f1

SHA1
21629bc8d05fcfdf6120e87a0360ca5f8f5e098f

SHA256
7ec36683a40cb65dfb0ed01db0a59eda7ad64a437b84103d3ac1b06946675291

SHA512
3efc1f9bf06f3ec54fbce486326731b82033309ca35494d769d2e7294965cd811dff8720470d2c6d2bd61d946a38c51a9e957fbaae59d9b4706ca11bddcda1d8

Download Submit
memory/2508-132-0x0000000000000000-mapping.dmp

Download
memory/4932-137-0x0000000000000000-mapping.dmp

Download
memory/4932-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4932-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads