lokibot | 4e0531aa678f89be4138738c05e5476139f54ca4ba9fb860766df049b7a3b3f4

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC PAYMENTS.exe
Size

344KB
MD5

fcb423ac4af9801d133374c802e4a078
SHA1

a955322df787c658ae72eb9e4ea3c41117dfd346
SHA256

e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5
SHA512

75ba6a412e9cf78ff36f34655061d269d840b9ae9f804f9581a899d49a84e4fe371b3971173d9bee140385b53dd95007e8d209d1bbb96522b4d99930766fd2f8
SSDEEP

6144:8Ya6O4eRhQ9sVnQxU1vgT8m4ayccQrV/aXGGaoiNv5ZlG1arcEv7fCJ:8Y1eRh3nWUJgTsl5QrMWJ1RZvrc4fCJ

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 3 IoCs

Processes:

rpsdc.exerpsdc.exerpsdc.exe

pid process

1256 rpsdc.exe
844 rpsdc.exe
1800 rpsdc.exe
Loads dropped DLL 3 IoCs

Processes:

HSBC PAYMENTS.exerpsdc.exe

pid process

1476 HSBC PAYMENTS.exe
1256 rpsdc.exe
1256 rpsdc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1256	rpsdc.exe
844	rpsdc.exe
1800	rpsdc.exe

pid	process
1476	HSBC PAYMENTS.exe
1256	rpsdc.exe
1256	rpsdc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rpsdc.exe

description pid process target process

PID 1256 set thread context of 1800 1256 rpsdc.exe rpsdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rpsdc.exe

pid process

1256 rpsdc.exe
1256 rpsdc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rpsdc.exe

description pid process

Token: SeDebugPrivilege 1800 rpsdc.exe

description	pid	process	target process
PID 1256 set thread context of 1800	1256	rpsdc.exe	rpsdc.exe

pid	process
1256	rpsdc.exe
1256	rpsdc.exe

description	pid	process
Token: SeDebugPrivilege	1800	rpsdc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

HSBC PAYMENTS.exerpsdc.exe

description	pid	process	target process
PID 1476 wrote to memory of 1256	1476	HSBC PAYMENTS.exe	rpsdc.exe
PID 1476 wrote to memory of 1256	1476	HSBC PAYMENTS.exe	rpsdc.exe
PID 1476 wrote to memory of 1256	1476	HSBC PAYMENTS.exe	rpsdc.exe
PID 1476 wrote to memory of 1256	1476	HSBC PAYMENTS.exe	rpsdc.exe
PID 1256 wrote to memory of 844	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 844	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 844	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 844	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 1800	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 1800	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 1800	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 1800	1256	rpsdc.exe	rpsdc.exe
PID 1256 wrote to memory of 1800	1256	rpsdc.exe	rpsdc.exe

outlook_office_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe

outlook_win_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe

C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENTS.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe" C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"
3⤵
- Executes dropped EXE
PID:844

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddsju.hoc

Filesize
124KB

MD5
45026d81848c3db988183bdcd62828b9

SHA1
155a459e068c7882e9fd192013d6afb0ea155786

SHA256
b32e55107e8dfbb428607102ec40fc8123ed3bbc4896cf548495defea84e36be

SHA512
2377b36e464f4e66563933a737879baa208120c689a234028e12fe70a94315977f3a24fda0dd28274f742f7d21504c1208bef1545ef601b0226da5aa0a6fe50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga

Filesize
5KB

MD5
ce42256ca647574eafc90df151d2ff2b

SHA1
ec0163109e94bb2f454d73379a9e18a3bf899584

SHA256
c85f62bf397dc268c49f99012a6e68212fc33a4f887991662cd6e75276f9ea51

SHA512
427ca9ea0f34ce64b76bdd3a7622153dd20a45732616f783ae02669d872c874d761360315f76a83a1e8528301b5559147afe97f1f2b51bad589008b680b66696

Download Submit
\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
memory/1256-56-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1800-65-0x00000000004139DE-mapping.dmp

Download
memory/1800-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1800-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download