lokibot | db8eae6ede6a43fac5b49d89810a2e17c3e2c0d78c6487af3b6532e4a32779ce

General

Target

HSBC Advise_pdf.exe
Size

356KB
MD5

9587102c110910a51b37b74ce40e2362
SHA1

4126184e03449d077a878c0c3201508cf66e8ce4
SHA256

db8eae6ede6a43fac5b49d89810a2e17c3e2c0d78c6487af3b6532e4a32779ce
SHA512

f2cbec2e3fbac6eb518faa9a3828db0034e3c38c78fa573199175219252485bb8267605e4847fc0113d09af33fdfcd1a671b53bcf0c043155ef6e3bdeb8c1c3e
SSDEEP

6144:uYa6TFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFY:uY///tP2MgwSDevfvFep+O3

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha12/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
864	ohepcmepaf.exe
4892	ohepcmepaf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ohepcmepaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ohepcmepaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ohepcmepaf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 4892	864	ohepcmepaf.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
864	ohepcmepaf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	ohepcmepaf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 864	4328	HSBC Advise_pdf.exe	82
PID 4328 wrote to memory of 864	4328	HSBC Advise_pdf.exe	82
PID 4328 wrote to memory of 864	4328	HSBC Advise_pdf.exe	82
PID 864 wrote to memory of 4892	864	ohepcmepaf.exe	83
PID 864 wrote to memory of 4892	864	ohepcmepaf.exe	83
PID 864 wrote to memory of 4892	864	ohepcmepaf.exe	83
PID 864 wrote to memory of 4892	864	ohepcmepaf.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ohepcmepaf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ohepcmepaf.exe

C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe
  "C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe" C:\Users\Admin\AppData\Local\Temp\ffifn.z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe
    "C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ffifn.z

Filesize
5KB

MD5
f6d88da8df52578bbf8023b3425e45a3

SHA1
0ce6ab36809498fc0e57e0e542247cbad6222885

SHA256
a2a79426ba2f347aededfd6c29733bf1fdf66ecf9fa900d7fb64de5482b4767d

SHA512
accd3c6bd8a1537d82d91c0dd09ed365af9dae7e8424c81470036a15b2072d6430d3cc732329f44837009f9767226b49f857743df45702c55f44a321beaa6cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnffuijwc.dn

Filesize
124KB

MD5
d0d7600862f71f86a72fc4a8f0ac7e94

SHA1
208be4aa6b02b68e967c14e21613f96debd9bec9

SHA256
c75e2c34bd89e0c1d60bb3ffce9caa7acf04e77c315a043f412d419f17319b92

SHA512
26455bb18f03bd4bf57e98295fba5aef4a0db0a85626b758779b4d80b9ff5b704b674cdaa468dc009369d9be720b90ae65c6a0b4a6d5dce891e38efd4d6e1a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

Filesize
131KB

MD5
0f4ef42ba22255821c2bee2c49d8c253

SHA1
c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

SHA256
ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

SHA512
97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

Filesize
131KB

MD5
0f4ef42ba22255821c2bee2c49d8c253

SHA1
c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

SHA256
ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

SHA512
97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe

Filesize
131KB

MD5
0f4ef42ba22255821c2bee2c49d8c253

SHA1
c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e

SHA256
ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9

SHA512
97affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417

Download Submit
memory/4892-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4892-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing