lokibot | 65e3c180f76643587a2bcf7a1703597afadae0a9170521d8c2493a8cf0caf66c

General

Target

-Invoice.exe
Size

274KB
MD5

58140a0133fb3e9fdea86ce4f486a525
SHA1

cc8d7dcbcac7d663208a0c55c6cb1b3721697b9b
SHA256

db4039e00a0a08bf2da23a2eb516c83da306ff3f25d266a49fcead9779b1fbcd
SHA512

b77b5308000570f290d5389b35af6e060cad0bc9cf4048c877c4ad92c5b0a83b9870a6519eced52e2682094ee9568c3829043019b5827fe57ae12751e4b0041c
SSDEEP

6144:vYa6PH+xUOZ/MgTVynP9qYYhQBGX5oS+T5JpiY1pYxQ:vY1HAUQwnP9qNJYT5JpYy

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.60/project/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 2 IoCs

pid	Process
3684	htzzly.exe
4924	htzzly.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htzzly.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	htzzly.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htzzly.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 4924	3684	htzzly.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3684	htzzly.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	htzzly.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3684	4536	-Invoice.exe	82
PID 4536 wrote to memory of 3684	4536	-Invoice.exe	82
PID 4536 wrote to memory of 3684	4536	-Invoice.exe	82
PID 3684 wrote to memory of 4924	3684	htzzly.exe	83
PID 3684 wrote to memory of 4924	3684	htzzly.exe	83
PID 3684 wrote to memory of 4924	3684	htzzly.exe	83
PID 3684 wrote to memory of 4924	3684	htzzly.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	htzzly.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	htzzly.exe

C:\Users\Admin\AppData\Local\Temp\-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\-Invoice.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\htzzly.exe
  "C:\Users\Admin\AppData\Local\Temp\htzzly.exe" C:\Users\Admin\AppData\Local\Temp\bdnswy.ydb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\htzzly.exe
    "C:\Users\Admin\AppData\Local\Temp\htzzly.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdnswy.ydb

Filesize
5KB

MD5
972103a4a7204f0fc77c6e37b8976b32

SHA1
b8218a3b965902661f4c1a05d550989bd7f82881

SHA256
73cedeea375177d0abc69121a0b685a37119c36b7d761111026ababcf45779e5

SHA512
9a49f4e1cd9bb4cb9d4714cc0e20466f9ab3891d4ff146c107b4ff5a9750ca9277723b1925164c76837878aa8569abf0ec54bef7e0ae5147682d4dddd24fafae

Download Submit
C:\Users\Admin\AppData\Local\Temp\eftmskivy.liy

Filesize
124KB

MD5
8699ef3c3cc7f3b3d0588623174c7886

SHA1
a0c3bb58fda3ef57e87ff0fb91c9cc82ad162fe0

SHA256
6aa3c4942892e240cd6291aa417d18295c90c66a8fff2dce20de7b660274a2b5

SHA512
191b67529410ffb9e9a3cdea8030f234522c30c8286c3004f98cd2cc3d2c1d09944545999566fab45a23c3bb3f7df58e9490de3a14ebf8edd464d8b575de417b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\htzzly.exe

Filesize
329KB

MD5
88f52849750ccbf57402a3c174380874

SHA1
0a8b00e13c01410f86db266f77ccf82e1e55382a

SHA256
15360426feb81ba10042924b02410a1c3cb6972c3240279641d807976414e8d5

SHA512
d8195a2d6b1c008382c638a96fbdfd6ac787e330274bb1544713677d467ad26ffb9029792c733edfc95f95ef851b98fd81d0d439b8274664513906eee8ebbcb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2805025096-2326403612-4231045514-1000\0f5007522459c86e95ffcc62f32308f1_7669410e-8e67-41c6-8402-7b5abeec199f

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2805025096-2326403612-4231045514-1000\0f5007522459c86e95ffcc62f32308f1_7669410e-8e67-41c6-8402-7b5abeec199f

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/3684-140-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/4924-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-147-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-166-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4924-180-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing