lokibot | 594bafd76c461932f100f8a586c77bbcfab182914062b92b4b24b6611e2d879b

General

Target

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
Size

490KB
MD5

a8f86e43a86f3e0047342917a3b4d823
SHA1

90e606c3aa0f2e7e438ad0eb4e43a391adf7af6a
SHA256

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743
SHA512

794f30895e43498d59449f680f6298b09a947003ff7f09a33ed2241a16cf5bfcaf06968511bf95e2d4ecb2554a19ca936396e21128b0a32bc9e6ce636ce6c6d5
SSDEEP

12288:Yes3/5HnQc1x6qDCRSMXZrT12L1fRFen:zwBHN3FDF0TMRfR8

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/c16/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	pid	process	target process
PID 3040 set thread context of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2436 schtasks.exe

pid	process
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exepowershell.exepowershell.exe

pid	process
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
2648	powershell.exe
2548	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

pid process

1768 454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

pid	process
1768	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exepowershell.exepowershell.exe454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	pid	process
Token: SeDebugPrivilege	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1768	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	pid	process	target process
PID 3040 wrote to memory of 2548	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2548	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2548	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2548	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2648	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2648	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2648	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2648	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	powershell.exe
PID 3040 wrote to memory of 2436	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	schtasks.exe
PID 3040 wrote to memory of 2436	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	schtasks.exe
PID 3040 wrote to memory of 2436	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	schtasks.exe
PID 3040 wrote to memory of 2436	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	schtasks.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
PID 3040 wrote to memory of 1768	3040	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

outlook_office_path 1 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

outlook_win_path 1 IoCs

Processes:

454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe

C:\Users\Admin\AppData\Local\Temp\454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
"C:\Users\Admin\AppData\Local\Temp\454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gmLDcEXOxYt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmLDcEXOxYt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E90.tmp"
2⤵
- Creates scheduled task(s)
PID:2436

C:\Users\Admin\AppData\Local\Temp\454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe
"C:\Users\Admin\AppData\Local\Temp\454e87da084f762d25dcb7858795f6bb6cd549cc0f1435177121b0eb66c17743.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9E90.tmp
Filesize
1KB

MD5
f3a4f604925aab2657b9ddbd1f11441f

SHA1
56d9fd6b95a07a1f0db49e13892bba06f1ae4089

SHA256
2a47b9f379bf9ae0205da9f633483aa709c896033226be01b08f078bf26e12f3

SHA512
3d3d6959ad3b363f56ffe4d30fcb4916133d27106ca3bb8b3b0951cfc780d08999b1698f3e8e0bd8614e324873a7df2ce294bd2f6126efc91808f58ab4318209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
125e79bf5fa0776019a434c3dfc65935

SHA1
7ad544c7b97ec37a831ebabba51676ebca695fb1

SHA256
4afd84fb26479e5ceb66dc9d09b585fc24eee2cfaab09f81a222cfe86275de65

SHA512
6ab9b37fde123309ce3c6b8535591b597c1a9cd81719ed184923a4489de9d7f6583ec39131092dcfcf93f955f64868162eb8a72da5f19cc0e972c72fe8e9444d

Download Submit
memory/1768-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1768-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-21-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1768-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2548-53-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-39-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2548-40-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-37-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2548-34-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-38-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/2648-36-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-33-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-54-0x000000006EDB0000-0x000000006F35B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-35-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/3040-4-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/3040-0-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/3040-32-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-20-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/3040-2-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/3040-3-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/3040-7-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-5-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/3040-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-6-0x0000000000B90000-0x0000000000BF2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads