lokibot | e7725edea9ad191d62ffe0f8cf45faaed5efed40ddcf3ed2f65dc258d82fc8fd

Analysis

max time kernel
93s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/03/2023, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

098f44e7799ce76f589bf48ea035a9b3.exe
Size

188KB
MD5

098f44e7799ce76f589bf48ea035a9b3
SHA1

d5dbf72ae43c7f2e35ff67d831b2eb8036fe55e4
SHA256

e7725edea9ad191d62ffe0f8cf45faaed5efed40ddcf3ed2f65dc258d82fc8fd
SHA512

04cc91e8e1bdfcbd317a4a7ce4e88c52b334b7886e7fceb181be3477a8ecadfd7170a8b1dc6a03bf4072361ea74aaf476be2ccdc7c33bf65c41fb90ebf17a175
SSDEEP

3072:HfY/TU9fE9PEtuWbEYvC7bNARXCDdnTFiuo9pEWCOsPpVTLOEum8XP++Esaz0M:/Ya62Zq7bNAo3u9+W9A/wDwzV

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://185.246.220.85/bally/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1972	dudmur.exe
1452	dudmur.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	098f44e7799ce76f589bf48ea035a9b3.exe
2000	098f44e7799ce76f589bf48ea035a9b3.exe
1972	dudmur.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dudmur.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dudmur.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dudmur.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1452	1972	dudmur.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1972	dudmur.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	dudmur.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1972	2000	098f44e7799ce76f589bf48ea035a9b3.exe	26
PID 2000 wrote to memory of 1972	2000	098f44e7799ce76f589bf48ea035a9b3.exe	26
PID 2000 wrote to memory of 1972	2000	098f44e7799ce76f589bf48ea035a9b3.exe	26
PID 2000 wrote to memory of 1972	2000	098f44e7799ce76f589bf48ea035a9b3.exe	26
PID 1972 wrote to memory of 1452	1972	dudmur.exe	27
PID 1972 wrote to memory of 1452	1972	dudmur.exe	27
PID 1972 wrote to memory of 1452	1972	dudmur.exe	27
PID 1972 wrote to memory of 1452	1972	dudmur.exe	27
PID 1972 wrote to memory of 1452	1972	dudmur.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dudmur.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dudmur.exe

C:\Users\Admin\AppData\Local\Temp\098f44e7799ce76f589bf48ea035a9b3.exe
"C:\Users\Admin\AppData\Local\Temp\098f44e7799ce76f589bf48ea035a9b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\dudmur.exe
  "C:\Users\Admin\AppData\Local\Temp\dudmur.exe" C:\Users\Admin\AppData\Local\Temp\bllqmjlvzbu.tgn
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\dudmur.exe
    "C:\Users\Admin\AppData\Local\Temp\dudmur.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bllqmjlvzbu.tgn

Filesize
6KB

MD5
f7ff55447ebdf1ff1e5c2498f4ff6d80

SHA1
427c1c01e4e115ce53c504640c1766b32d8498ee

SHA256
13b604ef9d45757135376f75c0d058cd48887dc386aa10c090d513e0b83a9ce2

SHA512
f1409ef17029d59a04d51b543091dcd162b399aa988e4dab3dfbeb1c7aab98ecebaa37dd78f402ca1ae2cd95a74839395254ce9a45c6b76faef7758030bd6e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgkazlrzw.g

Filesize
124KB

MD5
3de95d071be7e83a9fa999b4fc146b7b

SHA1
e73a837ff8841602c8d48f33126de68f8600802a

SHA256
81d256757fc190ca03bd2bbb6f85c81baa6de0b4546cd5d898fe4607f9595b69

SHA512
0a5863ee0dc9d386cda7ca3a598fa5a740d6ceae7d45b03793fa7239632714ae0516ee24dcefef5e7163ac64cb5168add15aa6e6b7fb5badc5ecf2c4ebadaf09

Download Submit
\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
memory/1452-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1452-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1452-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1452-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download