lokibot | 2101e0726bf4d7126778725e4e13682f2ca5e1aca62cdbd0c19dc781d9492b49

General

Target

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
Size

199KB
MD5

ecd901a84b82d00a82d45b4d0123352c
SHA1

d8780c1bfa80cd77eee71e8d3bd58699cc3f114b
SHA256

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af
SHA512

058658693bbc1e27a4feb2760112d8b7ead2e2b305b210fa3f53fcfdbd356c60aa2484264c89e634d521aa8e993054434efa6996992f5ce463e2d796b0d77518
SSDEEP

6144:/Ya6c/gRLtu+LizVGXUl45puYIlS7HpQd8l:/Y6IRLtu+LCc5HIc9Qil

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

wsbwv.exewsbwv.exe

pid process

1904 wsbwv.exe
956 wsbwv.exe
Loads dropped DLL 2 IoCs

Processes:

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exewsbwv.exe

pid process

880 eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
1904 wsbwv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1904	wsbwv.exe
956	wsbwv.exe

pid	process
880	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
1904	wsbwv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wsbwv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wsbwv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wsbwv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wsbwv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wsbwv.exe

description pid process target process

PID 1904 set thread context of 956 1904 wsbwv.exe wsbwv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

wsbwv.exe

pid process

1904 wsbwv.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wsbwv.exe

description pid process

Token: SeDebugPrivilege 956 wsbwv.exe

description	pid	process	target process
PID 1904 set thread context of 956	1904	wsbwv.exe	wsbwv.exe

pid	process
1904	wsbwv.exe

description	pid	process
Token: SeDebugPrivilege	956	wsbwv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exewsbwv.exe

description	pid	process	target process
PID 880 wrote to memory of 1904	880	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 880 wrote to memory of 1904	880	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 880 wrote to memory of 1904	880	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 880 wrote to memory of 1904	880	eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe	wsbwv.exe
PID 1904 wrote to memory of 956	1904	wsbwv.exe	wsbwv.exe
PID 1904 wrote to memory of 956	1904	wsbwv.exe	wsbwv.exe
PID 1904 wrote to memory of 956	1904	wsbwv.exe	wsbwv.exe
PID 1904 wrote to memory of 956	1904	wsbwv.exe	wsbwv.exe
PID 1904 wrote to memory of 956	1904	wsbwv.exe	wsbwv.exe

outlook_office_path 1 IoCs

Processes:

wsbwv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wsbwv.exe

outlook_win_path 1 IoCs

Processes:

wsbwv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wsbwv.exe

C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe
"C:\Users\Admin\AppData\Local\Temp\eee5109b395394fb7899319c800346434515c733d75664882bfd76156c38c2af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\wsbwv.exe
"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe" C:\Users\Admin\AppData\Local\Temp\vrmmldr.b
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\wsbwv.exe
"C:\Users\Admin\AppData\Local\Temp\wsbwv.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dakxtybzlfr.xwg

Filesize
124KB

MD5
8ea73f85a44f7d85b1fcf620dfb646ce

SHA1
2eb620709c023dea5a6f9d654d0a8e035aee0c93

SHA256
6b86a07f89f490cde8421e973c1c1a51aafc0dd91a91ae34152e08471f04f759

SHA512
6d1b271382d9548f89b6054b708f6f752bcd1bcd1a28793e4a532c52add33ae96fde36cb31e47077e79306fe049f12009212bffa04558e8f2ab9e0595c243ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrmmldr.b

Filesize
5KB

MD5
124a8185fb1e05bda4bf7be2e65a7e80

SHA1
176cfc76e1d53a76408b6edf18d4447d54f12229

SHA256
9af00b26c915bda0c0ece51ff6d1cccf460f935c1e24807f04fee3ed77d5d71a

SHA512
7f249f4ea75db8842e2a19599079af6033ad22d8b16b45b854256856b27443559c5aeabd59642e8d5a176b89497db262ab246efd34bb390ed2475178d7f1361c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
\Users\Admin\AppData\Local\Temp\wsbwv.exe

Filesize
129KB

MD5
bf527dd2218cb2fbded31759c3a3c5f5

SHA1
b0a7e2f762f9143205e12cfd36a4bd04989d4213

SHA256
a3aed03537bb9904c2ae3ab89185508cc9513655082107ca5edf0902fad7419c

SHA512
5b81bfc6ac8ecf858958a0c3b3f7fb62955165e2870b61f48989ac7e58fd4641326a1f700fd1a1d8721c1ebbd794288d2dc18fa033840561cba3e10893bba677

Download Submit
memory/880-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/956-62-0x00000000004139DE-mapping.dmp

Download
memory/956-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/956-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1904-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads