lokibot | 76e975559502b94a74b755218f039112efff0157df33b684a05733d185bbe128

General

Target

e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe
Size

344KB
MD5

fcb423ac4af9801d133374c802e4a078
SHA1

a955322df787c658ae72eb9e4ea3c41117dfd346
SHA256

e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5
SHA512

75ba6a412e9cf78ff36f34655061d269d840b9ae9f804f9581a899d49a84e4fe371b3971173d9bee140385b53dd95007e8d209d1bbb96522b4d99930766fd2f8
SSDEEP

6144:8Ya6O4eRhQ9sVnQxU1vgT8m4ayccQrV/aXGGaoiNv5ZlG1arcEv7fCJ:8Y1eRh3nWUJgTsl5QrMWJ1RZvrc4fCJ

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

rpsdc.exerpsdc.exe

pid process

4704 rpsdc.exe
4564 rpsdc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4704	rpsdc.exe
4564	rpsdc.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rpsdc.exe

description pid process target process

PID 4704 set thread context of 4564 4704 rpsdc.exe rpsdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rpsdc.exe

pid process

4704 rpsdc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rpsdc.exe

description pid process

Token: SeDebugPrivilege 4564 rpsdc.exe

description	pid	process	target process
PID 4704 set thread context of 4564	4704	rpsdc.exe	rpsdc.exe

pid	process
4704	rpsdc.exe

description	pid	process
Token: SeDebugPrivilege	4564	rpsdc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exerpsdc.exe

description	pid	process	target process
PID 2760 wrote to memory of 4704	2760	e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe	rpsdc.exe
PID 2760 wrote to memory of 4704	2760	e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe	rpsdc.exe
PID 2760 wrote to memory of 4704	2760	e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe	rpsdc.exe
PID 4704 wrote to memory of 4564	4704	rpsdc.exe	rpsdc.exe
PID 4704 wrote to memory of 4564	4704	rpsdc.exe	rpsdc.exe
PID 4704 wrote to memory of 4564	4704	rpsdc.exe	rpsdc.exe
PID 4704 wrote to memory of 4564	4704	rpsdc.exe	rpsdc.exe

outlook_office_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rpsdc.exe

outlook_win_path 1 IoCs

Processes:

rpsdc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rpsdc.exe

C:\Users\Admin\AppData\Local\Temp\e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe
"C:\Users\Admin\AppData\Local\Temp\e14a5a244a1e4db82ccb8da0be57d841442851ede8cba912df309d3f033530b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe" C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\rpsdc.exe
"C:\Users\Admin\AppData\Local\Temp\rpsdc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddsju.hoc

Filesize
124KB

MD5
45026d81848c3db988183bdcd62828b9

SHA1
155a459e068c7882e9fd192013d6afb0ea155786

SHA256
b32e55107e8dfbb428607102ec40fc8123ed3bbc4896cf548495defea84e36be

SHA512
2377b36e464f4e66563933a737879baa208120c689a234028e12fe70a94315977f3a24fda0dd28274f742f7d21504c1208bef1545ef601b0226da5aa0a6fe50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpsdc.exe

Filesize
130KB

MD5
59861f231af4f940193446c9e915a077

SHA1
2a31cd7b95d1317fa256d6e9abcc8bd576461952

SHA256
7c11989e234025a2193d1d402388ff49b7fcfbffe371c858595102e66f40dff7

SHA512
d26979ed80b5a78d2bb58015973897025f6bf8b3bab9aa8c3c74562f06859e06c6c241b99f656ff82596e961552e2daf84b37db44bf1c033035dea6d009dbf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\yggjhcgy.lga

Filesize
5KB

MD5
ce42256ca647574eafc90df151d2ff2b

SHA1
ec0163109e94bb2f454d73379a9e18a3bf899584

SHA256
c85f62bf397dc268c49f99012a6e68212fc33a4f887991662cd6e75276f9ea51

SHA512
427ca9ea0f34ce64b76bdd3a7622153dd20a45732616f783ae02669d872c874d761360315f76a83a1e8528301b5559147afe97f1f2b51bad589008b680b66696

Download Submit
memory/4564-137-0x0000000000000000-mapping.dmp

Download
memory/4564-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4564-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4704-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads