lokibot | 9ee5d34b5de79e79f492e962d73fb45d7eb63d6b5f146e29a1a27a7bcb6c9a14

General

Target

FedEx_AWB#725323201643.exe
Size

446KB
MD5

255f19c4ccdc14e35b44074ffc8e5607
SHA1

2a694b6ca0e8c00a09eab590a45964cc301a4b75
SHA256

9ee5d34b5de79e79f492e962d73fb45d7eb63d6b5f146e29a1a27a7bcb6c9a14
SHA512

73a749978219906d58b5e3b7740e86c91d1aa073f00b281787667c1d042fe5f37b609549d8b7eb730d391513f16dd5b3375bf083a76bc3194015cc48353d6482
SSDEEP

12288:KPV/OR9skrZfEgQq02Bs8RgIrQrDT1l+B/JMdWf8QT:/3vr2202+82I8rtaBM4f8

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://216.128.145.196/~wellseconds/?p=66663842554017

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 3012	1456	FedEx_AWB#725323201643.exe	30

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	FedEx_AWB#725323201643.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	FedEx_AWB#725323201643.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30
PID 1456 wrote to memory of 3012	1456	FedEx_AWB#725323201643.exe	30

C:\Users\Admin\AppData\Local\Temp\FedEx_AWB#725323201643.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx_AWB#725323201643.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\FedEx_AWB#725323201643.exe
  "C:\Users\Admin\AppData\Local\Temp\FedEx_AWB#725323201643.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3408354897-1169622894-3874090110-1000\0f5007522459c86e95ffcc62f32308f1_a6560253-2ecd-483b-9463-1559fdcc6213

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3408354897-1169622894-3874090110-1000\0f5007522459c86e95ffcc62f32308f1_a6560253-2ecd-483b-9463-1559fdcc6213

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/1456-77-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1456-55-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1456-56-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1456-57-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/1456-58-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/1456-59-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1456-60-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1456-61-0x0000000000BA0000-0x0000000000BFA000-memory.dmp

Filesize
360KB

Download
memory/1456-54-0x0000000001250000-0x00000000012C4000-memory.dmp

Filesize
464KB

Download
memory/3012-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3012-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3012-96-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing