lokibot | e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04

Analysis

max time kernel
143s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08-02-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe
Size

209KB
MD5

900820f261e82e5c51ecaa86f2f68f86
SHA1

36da386baa0926789cd35eee6b6c60c555e7b469
SHA256

e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04
SHA512

a1e3db91b2e5a15f92a98e7ac0cbd2f2ca790c79a6f3e5626dc1933b9f78a50c791efb2bc8ee0cf04fab0b62e3dd875cb99a9aa9902c9e17cc61f60ccd8900c5
SSDEEP

3072:HfY/TU9fE9PEtueGbMuXzsnNIKqBFEpc+hg3KnuZ8cyJrS0qQsO+KABaa5AdFjOq:/Ya6hMujsnNIq+1+uGcyAUKKABaagF6q

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://sempersim.su/ha9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 2 IoCs

Processes:

odaeemxxl.exeodaeemxxl.exe

pid process

2436 odaeemxxl.exe
4904 odaeemxxl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2436	odaeemxxl.exe
4904	odaeemxxl.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

odaeemxxl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	odaeemxxl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	odaeemxxl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	odaeemxxl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

odaeemxxl.exe

description pid process target process

PID 2436 set thread context of 4904 2436 odaeemxxl.exe odaeemxxl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

odaeemxxl.exe

pid process

2436 odaeemxxl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

odaeemxxl.exe

description pid process

Token: SeDebugPrivilege 4904 odaeemxxl.exe

description	pid	process	target process
PID 2436 set thread context of 4904	2436	odaeemxxl.exe	odaeemxxl.exe

pid	process
2436	odaeemxxl.exe

description	pid	process
Token: SeDebugPrivilege	4904	odaeemxxl.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exeodaeemxxl.exe

description	pid	process	target process
PID 1160 wrote to memory of 2436	1160	e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe	odaeemxxl.exe
PID 1160 wrote to memory of 2436	1160	e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe	odaeemxxl.exe
PID 1160 wrote to memory of 2436	1160	e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe	odaeemxxl.exe
PID 2436 wrote to memory of 4904	2436	odaeemxxl.exe	odaeemxxl.exe
PID 2436 wrote to memory of 4904	2436	odaeemxxl.exe	odaeemxxl.exe
PID 2436 wrote to memory of 4904	2436	odaeemxxl.exe	odaeemxxl.exe
PID 2436 wrote to memory of 4904	2436	odaeemxxl.exe	odaeemxxl.exe

outlook_office_path 1 IoCs

Processes:

odaeemxxl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	odaeemxxl.exe

outlook_win_path 1 IoCs

Processes:

odaeemxxl.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	odaeemxxl.exe

C:\Users\Admin\AppData\Local\Temp\e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe
"C:\Users\Admin\AppData\Local\Temp\e2d5cfd16680135cafe37b18eb0e31958128120cffa627dbf7a22e1c8b2f5f04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe
"C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe" C:\Users\Admin\AppData\Local\Temp\fjlqm.qo
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe
"C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhccdghxgvy.j

Filesize
124KB

MD5
00ab929094f2434b6d889720f3eefcea

SHA1
e5d3f1533baf93276ff7c9ea7bda591d5a827e00

SHA256
5fce4c7c77a4b8e3cda2c34c3889d8fba935bf603878ef209dbc41c51b88d102

SHA512
1ae7fe445495a7123e370f2229d05c0ebf47e2bee58d6e612d4de70740c6d36f75c77106978797bcb70a519df5beb7d06a9761ac51674ab430b9c39e0cfd39ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjlqm.qo

Filesize
6KB

MD5
67fae5560972858de0de252eb8949c99

SHA1
e23ce2051bf95475b6612192ff08afb8faf5cc58

SHA256
81eb2f3d503c9b0929c16644fcda2b4c5d54c568c6965186eb9922ebeb53145c

SHA512
1a68ea8236d2a933d9c284de80401292546e5b7e5bd92b3906190da77e82814723902b5770d346b5c4a95bdf406583bd30639c87831d3d528dd118cbb490c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe

Filesize
131KB

MD5
6c63b9340fbe48d7a1610c398f5385d5

SHA1
7f17a734bc507ec479f24b28d5265d69ceb98464

SHA256
05d77bd4cea983fb507d51ed51051f5c20f9179f4d21304c93ae1c11bc314c61

SHA512
e83ca3ff5e6adef4795cad8abb305da7212b13d7758e127af80d602818f3176f8943739a1f86682b01e9f6554991f40b9fca287b267ef2b0a7609373be377e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe

Filesize
131KB

MD5
6c63b9340fbe48d7a1610c398f5385d5

SHA1
7f17a734bc507ec479f24b28d5265d69ceb98464

SHA256
05d77bd4cea983fb507d51ed51051f5c20f9179f4d21304c93ae1c11bc314c61

SHA512
e83ca3ff5e6adef4795cad8abb305da7212b13d7758e127af80d602818f3176f8943739a1f86682b01e9f6554991f40b9fca287b267ef2b0a7609373be377e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\odaeemxxl.exe

Filesize
131KB

MD5
6c63b9340fbe48d7a1610c398f5385d5

SHA1
7f17a734bc507ec479f24b28d5265d69ceb98464

SHA256
05d77bd4cea983fb507d51ed51051f5c20f9179f4d21304c93ae1c11bc314c61

SHA512
e83ca3ff5e6adef4795cad8abb305da7212b13d7758e127af80d602818f3176f8943739a1f86682b01e9f6554991f40b9fca287b267ef2b0a7609373be377e4f

Download Submit
memory/1160-156-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-139-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-127-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-128-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-129-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-130-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-131-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-132-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-133-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-134-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-135-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-137-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-136-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-158-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-138-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-140-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-141-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-142-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-143-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-144-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-146-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-145-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-147-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-148-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-159-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-150-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-151-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-152-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-153-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-154-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-155-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-120-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-164-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-126-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-149-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-160-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-161-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-162-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-163-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-165-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-157-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-166-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-121-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-122-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-123-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-125-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/1160-124-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-173-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-176-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-172-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-184-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-179-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-177-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-178-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-183-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-180-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-181-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-171-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-182-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-174-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-185-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-186-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-169-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-170-0x0000000076FB0000-0x000000007713E000-memory.dmp

Filesize
1.6MB

Download
memory/2436-167-0x0000000000000000-mapping.dmp

Download
memory/4904-201-0x00000000004139DE-mapping.dmp

Download
memory/4904-238-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4904-254-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download