lokibot | cd795efaecacad8749827588ac045d9d209a0eb29656a0c5cc903f1ad49231d7

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe
Size

657KB
MD5

0e791ce3c5922bb2cd95f33b59296db3
SHA1

b2f53b32ccef839718bbd47b560daeb7e8aa541c
SHA256

0c82feaf206d2633de0904b7fe4f34da47e4dcf08079afd668101c180e2df32d
SHA512

011c5e502bc3a90f9672411b81c44967401d91365f0951e22c2a4621e27f702696c528d5da4c1484d579b9b6cd22b2d3441d6989d96103e4c2b0599c9dfdcaf2
SSDEEP

12288:uqUyZzjn9co0d0wvvSQNCY62XACRCY27D8:xdZKo02cvS4CY6iAqCY27Y

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://novlkyy.shop/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 3 IoCs

Processes:

PO.exeW.exeWG.exe

pid process

3008 PO.exe
2700 W.exe
3016 WG.exe

pid	process
3008	PO.exe
2700	W.exe
3016	WG.exe

Loads dropped DLL 10 IoCs

Processes:

Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exePO.exeW.exe

pid	process
928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe
928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe
928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe
3008	PO.exe
3008	PO.exe
3008	PO.exe
2700	W.exe
2700	W.exe
2700	W.exe
2700	W.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WG.exe

description pid process target process

PID 3016 set thread context of 2836 3016 WG.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WG.exe

pid process

3016 WG.exe
3016 WG.exe
3016 WG.exe
3016 WG.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1060 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WG.exeaspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 3016 WG.exe
Token: SeDebugPrivilege 2836 aspnet_compiler.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

2900 DllHost.exe
2900 DllHost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1060 AcroRd32.exe
1060 AcroRd32.exe
1060 AcroRd32.exe

description	pid	process	target process
PID 3016 set thread context of 2836	3016	WG.exe	aspnet_compiler.exe

pid	process
3016	WG.exe
3016	WG.exe
3016	WG.exe
3016	WG.exe

pid	process
1060	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	3016	WG.exe
Token: SeDebugPrivilege	2836	aspnet_compiler.exe

pid	process
2900	DllHost.exe
2900	DllHost.exe

pid	process
1060	AcroRd32.exe
1060	AcroRd32.exe
1060	AcroRd32.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exePO.exeW.exeWG.exe

description	pid	process	target process
PID 928 wrote to memory of 3008	928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe	PO.exe
PID 928 wrote to memory of 3008	928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe	PO.exe
PID 928 wrote to memory of 3008	928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe	PO.exe
PID 928 wrote to memory of 3008	928	Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe	PO.exe
PID 3008 wrote to memory of 2700	3008	PO.exe	W.exe
PID 3008 wrote to memory of 2700	3008	PO.exe	W.exe
PID 3008 wrote to memory of 2700	3008	PO.exe	W.exe
PID 3008 wrote to memory of 2700	3008	PO.exe	W.exe
PID 2700 wrote to memory of 3016	2700	W.exe	WG.exe
PID 2700 wrote to memory of 3016	2700	W.exe	WG.exe
PID 2700 wrote to memory of 3016	2700	W.exe	WG.exe
PID 2700 wrote to memory of 3016	2700	W.exe	WG.exe
PID 2700 wrote to memory of 1060	2700	W.exe	AcroRd32.exe
PID 2700 wrote to memory of 1060	2700	W.exe	AcroRd32.exe
PID 2700 wrote to memory of 1060	2700	W.exe	AcroRd32.exe
PID 2700 wrote to memory of 1060	2700	W.exe	AcroRd32.exe
PID 3016 wrote to memory of 2748	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2748	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2748	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2748	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2828	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2828	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2828	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2828	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe
PID 3016 wrote to memory of 2836	3016	WG.exe	aspnet_compiler.exe

outlook_office_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe

outlook_win_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe
"C:\Users\Admin\AppData\Local\Temp\Заказ на покупку_(P.O_6203445-2024)_Викторович ООО.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\W.exe
"C:\Users\Admin\AppData\Local\Temp\W.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\WG.exe
"C:\Users\Admin\AppData\Local\Temp\WG.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2836

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\P.pdf"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P.pdf
Filesize
4KB

MD5
f560e00f53dea14bd7fc6125f13aa825

SHA1
d51ca79113f079bca8ff2f3e449489beff506622

SHA256
c793a9db38275862d5d8bf78842fbd3c816cccdfa1bcd4480016dedfa0c80a0e

SHA512
afc3efe32b1650814d469b0d23a78326b44b43a7e6facccdbaaa00b06afa9c0e9ba74676542212ac082661686000575bc895d07b1b510d57053f30058508c8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WG.exe
Filesize
162KB

MD5
c8b4d9698c953b74a2445cb0f332b6e9

SHA1
8afd87832afb293bb4c8df009372ba99a0bc11f6

SHA256
127b554df0df16afcc669913442e0a931ca2b0aa27081a19f9d7e9cb3dbd85cb

SHA512
b8e3fe78439ebf6b8db042a7912b23168191cd342b996887e0c91a404ba969441793de83a2a7230a1e3111e23944394b59335b16bc132c26737ab8fd0b996fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.ico
Filesize
66KB

MD5
101b6231326a6178786c318cfc2e1f99

SHA1
7aa127501f215fbdbc866c2f5a95843c7cfd4d8f

SHA256
85ef2d104241a6be6bba04c8145e836afc605d817de3ad7f288928684f177b1c

SHA512
f50976b939c361441c9a1c18e57d1be3384c62ab0ac7093e35817bd212597cac494e6c322603b95275a642c2ca723c805484a78e9728bc3de9a6638260c3ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\innovent.ru.jpg
Filesize
7KB

MD5
f5f4fc04574c364a849dcae4bceeb4c9

SHA1
f1ba9d95a3320be07a9e36fb142c1fb312dfa518

SHA256
705dcdc34bb90bc413150515fa7f4b9238bb649b710bce1bed7c369566e6ef38

SHA512
c57ee19292d8b4684323fdca65236956aca4719bb54a5537ad02df143e7b44ad92ed7b2db8ce2a0636cc0674c006de518d61fc1e09e33668539436320a6d681e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
e6e4c9df423290a53567f63d7a9ddb64

SHA1
d76bc501ac098a94872bcd027175aba6323626db

SHA256
cd8e7bd4a8a28d82e590852356af4f406d287a769e3bc7d70edc191e946c11fc

SHA512
22b216c402e5bc382b7a9024a258e44879efb0eaf149f3f4d074fa20f4bf675357158af8626daa6a889d60b0339a2455bc6736c3174898ef68708e39f871a710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3427588347-1492276948-3422228430-1000\0f5007522459c86e95ffcc62f32308f1_d944c546-b3e1-4f8c-a2cd-c02cbd20099d
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3427588347-1492276948-3422228430-1000\0f5007522459c86e95ffcc62f32308f1_d944c546-b3e1-4f8c-a2cd-c02cbd20099d
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
\Users\Admin\AppData\Local\Temp\PO.exe
Filesize
513KB

MD5
9b99b4202796125646f24b24f3779221

SHA1
db870727d2617c9633ea606d171f2d96f95ba2e1

SHA256
77d2b275a0eddc02d7e2fa674bb9917d77132bdb4ee41f042b862b2aefe17816

SHA512
2247560b8b6c095fcb47787c89e5f94a28cfcb9ca8685729987615ca5f2f2ae2d938fb6042cc5a13a9e18eb503e63145e4ed30d28571ad7870378a0c253dfc45

Download Submit
\Users\Admin\AppData\Local\Temp\W.exe
Filesize
374KB

MD5
9e5f4dcd874e97732be7d34c3a86867e

SHA1
768133c43ea0afa420bd6920bfbaf5941611c570

SHA256
70fcbefcbb4183a1235d74c7e18baf7deaa1baa5fa7d25bad6a82af4eb7ec087

SHA512
aa60572e25cfb762b7a46502f8a3d0cd502a7d81c0016c4b27c04cb2a941fe70bd899900bdb6cd37831db19ab6220c11f06ebec7e535daf40b9b171617d98190

Download Submit
memory/928-21-0x0000000002F40000-0x0000000002F42000-memory.dmp

Filesize
8KB

Download
memory/2836-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-120-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-108-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2836-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2900-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2900-22-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2900-112-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/3016-53-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/3016-57-0x000000001A900000-0x000000001A980000-memory.dmp

Filesize
512KB

Download
memory/3016-74-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-56-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-58-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download