lokibot | e7725edea9ad191d62ffe0f8cf45faaed5efed40ddcf3ed2f65dc258d82fc8fd

General

Target

098f44e7799ce76f589bf48ea035a9b3.exe
Size

188KB
MD5

098f44e7799ce76f589bf48ea035a9b3
SHA1

d5dbf72ae43c7f2e35ff67d831b2eb8036fe55e4
SHA256

e7725edea9ad191d62ffe0f8cf45faaed5efed40ddcf3ed2f65dc258d82fc8fd
SHA512

04cc91e8e1bdfcbd317a4a7ce4e88c52b334b7886e7fceb181be3477a8ecadfd7170a8b1dc6a03bf4072361ea74aaf476be2ccdc7c33bf65c41fb90ebf17a175
SSDEEP

3072:HfY/TU9fE9PEtuWbEYvC7bNARXCDdnTFiuo9pEWCOsPpVTLOEum8XP++Esaz0M:/Ya62Zq7bNAo3u9+W9A/wDwzV

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/bally/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
3044	dudmur.exe
3788	dudmur.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dudmur.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dudmur.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dudmur.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 3788	3044	dudmur.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3044	dudmur.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	dudmur.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3044	2728	098f44e7799ce76f589bf48ea035a9b3.exe	85
PID 2728 wrote to memory of 3044	2728	098f44e7799ce76f589bf48ea035a9b3.exe	85
PID 2728 wrote to memory of 3044	2728	098f44e7799ce76f589bf48ea035a9b3.exe	85
PID 3044 wrote to memory of 3788	3044	dudmur.exe	86
PID 3044 wrote to memory of 3788	3044	dudmur.exe	86
PID 3044 wrote to memory of 3788	3044	dudmur.exe	86
PID 3044 wrote to memory of 3788	3044	dudmur.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dudmur.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dudmur.exe

C:\Users\Admin\AppData\Local\Temp\098f44e7799ce76f589bf48ea035a9b3.exe
"C:\Users\Admin\AppData\Local\Temp\098f44e7799ce76f589bf48ea035a9b3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\dudmur.exe
  "C:\Users\Admin\AppData\Local\Temp\dudmur.exe" C:\Users\Admin\AppData\Local\Temp\bllqmjlvzbu.tgn
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\dudmur.exe
    "C:\Users\Admin\AppData\Local\Temp\dudmur.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bllqmjlvzbu.tgn

Filesize
6KB

MD5
f7ff55447ebdf1ff1e5c2498f4ff6d80

SHA1
427c1c01e4e115ce53c504640c1766b32d8498ee

SHA256
13b604ef9d45757135376f75c0d058cd48887dc386aa10c090d513e0b83a9ce2

SHA512
f1409ef17029d59a04d51b543091dcd162b399aa988e4dab3dfbeb1c7aab98ecebaa37dd78f402ca1ae2cd95a74839395254ce9a45c6b76faef7758030bd6e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dudmur.exe

Filesize
99KB

MD5
f058f6264f995e44cfdfbcacf3f9767c

SHA1
e44fb899c07f2d9e2f6bb8a874c30235cbd86003

SHA256
8e3aef172eb7f80494a328d2fcc3b47f1713a28bdb9cf02a7550cdf17466fcaa

SHA512
31bf579b1c75d34fda71cb07870f65c4c8bcc3838ff7636fbe30cf402c198a451be0c4efbace642c779d81bbb619338816f1ca234bbaad563cd22a87594840d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgkazlrzw.g

Filesize
124KB

MD5
3de95d071be7e83a9fa999b4fc146b7b

SHA1
e73a837ff8841602c8d48f33126de68f8600802a

SHA256
81d256757fc190ca03bd2bbb6f85c81baa6de0b4546cd5d898fe4607f9595b69

SHA512
0a5863ee0dc9d386cda7ca3a598fa5a740d6ceae7d45b03793fa7239632714ae0516ee24dcefef5e7163ac64cb5168add15aa6e6b7fb5badc5ecf2c4ebadaf09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\0f5007522459c86e95ffcc62f32308f1_2007c659-eb65-4631-bf41-16f7650120a3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\0f5007522459c86e95ffcc62f32308f1_2007c659-eb65-4631-bf41-16f7650120a3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/3788-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3788-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3788-147-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3788-166-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing