lokibot | 65e3c180f76643587a2bcf7a1703597afadae0a9170521d8c2493a8cf0caf66c

General

Target

-Invoice.exe
Size

274KB
MD5

58140a0133fb3e9fdea86ce4f486a525
SHA1

cc8d7dcbcac7d663208a0c55c6cb1b3721697b9b
SHA256

db4039e00a0a08bf2da23a2eb516c83da306ff3f25d266a49fcead9779b1fbcd
SHA512

b77b5308000570f290d5389b35af6e060cad0bc9cf4048c877c4ad92c5b0a83b9870a6519eced52e2682094ee9568c3829043019b5827fe57ae12751e4b0041c
SSDEEP

6144:vYa6PH+xUOZ/MgTVynP9qYYhQBGX5oS+T5JpiY1pYxQ:vY1HAUQwnP9qNJYT5JpYy

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/project/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
1988	htzzly.exe
1956	htzzly.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	-Invoice.exe
1988	htzzly.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htzzly.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	htzzly.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htzzly.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1956	1988	htzzly.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1988	htzzly.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	htzzly.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1988	2016	-Invoice.exe	28
PID 2016 wrote to memory of 1988	2016	-Invoice.exe	28
PID 2016 wrote to memory of 1988	2016	-Invoice.exe	28
PID 2016 wrote to memory of 1988	2016	-Invoice.exe	28
PID 1988 wrote to memory of 1956	1988	htzzly.exe	29
PID 1988 wrote to memory of 1956	1988	htzzly.exe	29
PID 1988 wrote to memory of 1956	1988	htzzly.exe	29
PID 1988 wrote to memory of 1956	1988	htzzly.exe	29
PID 1988 wrote to memory of 1956	1988	htzzly.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htzzly.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htzzly.exe

C:\Users\Admin\AppData\Local\Temp\-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\-Invoice.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\htzzly.exe
  "C:\Users\Admin\AppData\Local\Temp\htzzly.exe" C:\Users\Admin\AppData\Local\Temp\bdnswy.ydb
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\htzzly.exe
    "C:\Users\Admin\AppData\Local\Temp\htzzly.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdnswy.ydb

Filesize
5KB

MD5
972103a4a7204f0fc77c6e37b8976b32

SHA1
b8218a3b965902661f4c1a05d550989bd7f82881

SHA256
73cedeea375177d0abc69121a0b685a37119c36b7d761111026ababcf45779e5

SHA512
9a49f4e1cd9bb4cb9d4714cc0e20466f9ab3891d4ff146c107b4ff5a9750ca9277723b1925164c76837878aa8569abf0ec54bef7e0ae5147682d4dddd24fafae

Download Submit
C:\Users\Admin\AppData\Local\Temp\eftmskivy.liy

Filesize
124KB

MD5
8699ef3c3cc7f3b3d0588623174c7886

SHA1
a0c3bb58fda3ef57e87ff0fb91c9cc82ad162fe0

SHA256
6aa3c4942892e240cd6291aa417d18295c90c66a8fff2dce20de7b660274a2b5

SHA512
191b67529410ffb9e9a3cdea8030f234522c30c8286c3004f98cd2cc3d2c1d09944545999566fab45a23c3bb3f7df58e9490de3a14ebf8edd464d8b575de417b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
memory/1956-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1956-78-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing