lokibot | 823266766e404bba77e7b98721cc503cbf6bfb2b6303c1b1c4c9f23a3ccc9ec2

General

Target

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
Size

535KB
MD5

dce3a42744dfd9236299039e09ed1fc9
SHA1

e677a7accc88342822454c28a55cee05cc8d0ac0
SHA256

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528
SHA512

ce85b18d067cf01f9563cd8c85f6eeba64f32cd55682a0a51fe7bdf2d395d69e5712ba88f88f9a890c3366125266e9319f3766adba30d80c695de553db2427de
SSDEEP

12288:J8/xQNl/Wqq9WylY3mVOgfhl9ZFn2IGkPyIfDD/zy/wlEYi:2mZy1VOgfb9NYU3r76

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c17/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

description	pid	process	target process
PID 2624 set thread context of 1544	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2900 schtasks.exe

pid	process
2900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exepowershell.exepowershell.exe

pid	process
2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
2488	powershell.exe
2436	powershell.exe
2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

description	pid	process	target process
PID 2624 wrote to memory of 2436	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2436	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2436	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2488	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2488	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2488	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	powershell.exe
PID 2624 wrote to memory of 2900	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	schtasks.exe
PID 2624 wrote to memory of 2900	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	schtasks.exe
PID 2624 wrote to memory of 2900	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	schtasks.exe
PID 2624 wrote to memory of 1544	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2624 wrote to memory of 1544	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2624 wrote to memory of 1544	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2624 wrote to memory of 1544	2624	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe	7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
"C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGZscboXVnu.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGZscboXVnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4347.tmp"
2⤵
- Creates scheduled task(s)
PID:2900

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
2⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4347.tmp

Filesize
1KB

MD5
a71c60f0857fcae16844b76282e18857

SHA1
18094387e04150e11471dcff56cda7278f858608

SHA256
0c130fcc7814372a8f342459cc63726fe53f9092b28d645b8b5b5a018b3f0b87

SHA512
f69dfa1a2e9abc91758bcb247636c809e16eab31f298035b50df0198d77830f0c05fe2e1025909675f3027579d8852bc9543680c1fdb45c3ecf9e7870c06adb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3NQWQKT7YO8YXW6B7ZCY.temp

Filesize
7KB

MD5
adb59c0d06e1d77c0ec53e461bcbc0cd

SHA1
3df90096c4e999545c062b4c0b291dc2ed1a47a7

SHA256
f41940990c14b85efb25a4dfc434fca537560bdc1a9d499981c1644c0aefcbaf

SHA512
ae1a64c6abf37139cab7f2bcb6c3afb46f1cafe2de95db0a95776433d16f59f52e127f35ee124704c55445f0cb7622de17ddf8ff54b6d2df1b7e8a8be2442300

Download Submit
memory/1544-33-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-22-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2436-25-0x000007FEED550000-0x000007FEEDEED000-memory.dmp

Filesize
9.6MB

Download
memory/2436-26-0x000007FEED550000-0x000007FEEDEED000-memory.dmp

Filesize
9.6MB

Download
memory/2436-29-0x00000000023CB000-0x0000000002432000-memory.dmp

Filesize
412KB

Download
memory/2436-27-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/2488-32-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2488-23-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2488-31-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2488-30-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2488-28-0x000007FEED550000-0x000007FEEDEED000-memory.dmp

Filesize
9.6MB

Download
memory/2488-37-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2624-6-0x000000001BD60000-0x000000001BDC0000-memory.dmp

Filesize
384KB

Download
memory/2624-24-0x000000001B9B0000-0x000000001BA52000-memory.dmp

Filesize
648KB

Download
memory/2624-7-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-0-0x0000000000C00000-0x0000000000C8C000-memory.dmp

Filesize
560KB

Download
memory/2624-5-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2624-4-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/2624-3-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/2624-2-0x0000000000B70000-0x0000000000BF0000-memory.dmp

Filesize
512KB

Download
memory/2624-36-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-1-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads