lokibot | e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/09/2023, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ABDETYBF.exe
Size

783KB
MD5

dd32fbe95047642376227127eaffe815
SHA1

8d2c3539b0307816c4e0d447cb5b577cb6e15c07
SHA256

e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8
SHA512

97645a91ca1219a221ef60083adbbc07f4706030f5bc0669965fa3e53881c3422ae2aac0eb14d0dce7470ff7f06e2987d33bc7f1ee03aae93b34fa3ff81cdd49
SSDEEP

24576:yNA3R5drXP0lV4LIqzSVq1r+w/URexTF2+:L5OZzAr+0UExB1

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://fiorentcamcycle.redirectme.net/jzdgfsh/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 3 IoCs

pid	Process
2624	AhmetOdem.exe
2748	Ahmetoiuv.exe
2128	Ahmetoiuv.exe

Loads dropped DLL 8 IoCs

pid	Process
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2976	ABDETYBF.exe
2748	Ahmetoiuv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Ahmetoiuv.exe
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Ahmetoiuv.exe
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Ahmetoiuv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2128	2748	Ahmetoiuv.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Ahmetoiuv.exe
Token: SeDebugPrivilege	2128	Ahmetoiuv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2784	DllHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2624	2976	ABDETYBF.exe	28
PID 2976 wrote to memory of 2624	2976	ABDETYBF.exe	28
PID 2976 wrote to memory of 2624	2976	ABDETYBF.exe	28
PID 2976 wrote to memory of 2624	2976	ABDETYBF.exe	28
PID 2976 wrote to memory of 2748	2976	ABDETYBF.exe	29
PID 2976 wrote to memory of 2748	2976	ABDETYBF.exe	29
PID 2976 wrote to memory of 2748	2976	ABDETYBF.exe	29
PID 2976 wrote to memory of 2748	2976	ABDETYBF.exe	29
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31
PID 2748 wrote to memory of 2128	2748	Ahmetoiuv.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Ahmetoiuv.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Ahmetoiuv.exe

C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe
"C:\Users\Admin\AppData\Local\Temp\ABDETYBF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
  "C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
  "C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2128

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.jpg

Filesize
38KB

MD5
d012e63ffee27b2f473ec4b0e89080b8

SHA1
7e7f3d5b27ef2382ff287465d84f81c1092ef046

SHA256
6a5e42e58f2b883ca3a2055090649ed8e1af1e7b11bbde4d76d1bfaef3b7a625

SHA512
5586baefc85b71170ee224f819854bdb75756e3b22eb4f74f408054dd015db84444d119efa06d8651a8cd6b726ec0d0a442ce503b4caf602645cdfdc6295a414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-686452656-3203474025-4140627569-1000\0f5007522459c86e95ffcc62f32308f1_a38c7804-2682-486a-9c4a-7df759db8800

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-686452656-3203474025-4140627569-1000\0f5007522459c86e95ffcc62f32308f1_a38c7804-2682-486a-9c4a-7df759db8800

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
\Users\Admin\AppData\Local\Temp\AhmetOdem.exe

Filesize
306KB

MD5
3ffae71fdf23a86018fdf1e1b846eb2d

SHA1
4d8aaffca026d3a0336d996c21ae392022fcb00c

SHA256
5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15

SHA512
676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b

Download Submit
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe

Filesize
293KB

MD5
39900a5f5037440f1380eb5efbdbd70d

SHA1
c661153d06c90c848694819095de0e57bc1bef25

SHA256
ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0

SHA512
19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376

Download Submit
memory/2128-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-45-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-41-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2624-32-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/2748-35-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-34-0x0000000000870000-0x00000000008C2000-memory.dmp

Filesize
328KB

Download
memory/2748-37-0x0000000001F60000-0x0000000001FAA000-memory.dmp

Filesize
296KB

Download
memory/2748-46-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-38-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2784-33-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2784-36-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2784-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download