lokibot | d6bd09cadd7a09d19d66293a896e2ed1d3d9a05968082061e3a9923fa08bb03f

General

Target

48321b3ae7cef1a9ac6332d20307fbca.exe
Size

390KB
MD5

48321b3ae7cef1a9ac6332d20307fbca
SHA1

3c1f8e0ea31b8612b1a63fd7441062c0f7d54651
SHA256

d6bd09cadd7a09d19d66293a896e2ed1d3d9a05968082061e3a9923fa08bb03f
SHA512

dc4bb367be32c3e641019607ad2318978440286af46aa6c35329d81328c6fb1794ede0ee324f91cce93ee74b653b71af557654238a3adb9f506e33d72ad30298
SSDEEP

6144:7Plxh9hrTKx6/QlIU5fNQlYegHrSnSPrbjRbDboVf17fzzH+M:pobhUPnf

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://kersterus.gq/wp-content/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

48321b3ae7cef1a9ac6332d20307fbca.exe

description pid process target process

PID 1580 set thread context of 3828 1580 48321b3ae7cef1a9ac6332d20307fbca.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

48321b3ae7cef1a9ac6332d20307fbca.exe

pid process

1580 48321b3ae7cef1a9ac6332d20307fbca.exe
1580 48321b3ae7cef1a9ac6332d20307fbca.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

48321b3ae7cef1a9ac6332d20307fbca.exevbc.exe

description pid process

Token: SeDebugPrivilege 1580 48321b3ae7cef1a9ac6332d20307fbca.exe
Token: SeDebugPrivilege 3828 vbc.exe

description	pid	process	target process
PID 1580 set thread context of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe

pid	process
1580	48321b3ae7cef1a9ac6332d20307fbca.exe
1580	48321b3ae7cef1a9ac6332d20307fbca.exe

description	pid	process
Token: SeDebugPrivilege	1580	48321b3ae7cef1a9ac6332d20307fbca.exe
Token: SeDebugPrivilege	3828	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

48321b3ae7cef1a9ac6332d20307fbca.execsc.exe

description	pid	process	target process
PID 1580 wrote to memory of 3768	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	csc.exe
PID 1580 wrote to memory of 3768	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	csc.exe
PID 1580 wrote to memory of 3768	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	csc.exe
PID 3768 wrote to memory of 4108	3768	csc.exe	cvtres.exe
PID 3768 wrote to memory of 4108	3768	csc.exe	cvtres.exe
PID 3768 wrote to memory of 4108	3768	csc.exe	cvtres.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe
PID 1580 wrote to memory of 3828	1580	48321b3ae7cef1a9ac6332d20307fbca.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\48321b3ae7cef1a9ac6332d20307fbca.exe
"C:\Users\Admin\AppData\Local\Temp\48321b3ae7cef1a9ac6332d20307fbca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evldawnf\evldawnf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp" "c:\Users\Admin\AppData\Local\Temp\evldawnf\CSC778A97232140473CB899E1F6796357B.TMP"
3⤵
PID:4108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B1E.tmp
Filesize
1KB

MD5
b4bb9c14c4232713c375379d018a602e

SHA1
bd5b834556dba3adbccff468c7b175943921239c

SHA256
ac0c9679ceafb1f443dee32841360ecbd7026c97228924f2007b7ea13f0c65b8

SHA512
d078aeae4c899157e440fe8ca598f5939b1217c6f002cea25407f3e2f2efc7e57bf2d2eb8a07cbb96816e38d2e40041f8e32cccbe0a197e2cd26ccbf611a37af

Download Submit
C:\Users\Admin\AppData\Local\Temp\evldawnf\evldawnf.dll
Filesize
6KB

MD5
5012da416e7e430db76c9210ef9142b5

SHA1
c8904e8d5fbda512f947184848d582319080d182

SHA256
4b6903a2dc9ac82166dfacf7d563d4718daaea860a2aeafd1270e5037a515e6b

SHA512
c084842522ff3bf851896761707abcb25a4ff2228aca725275d765dc2e66188b09a0a7d5ca2b3c8f6a8b7c19c298d058a489042c3ac6fade056887e23bac37f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\evldawnf\evldawnf.pdb
Filesize
19KB

MD5
22750cd0214026a537317c18c5530a79

SHA1
f33e24df850611ddba0a169aafbb657a11fe357c

SHA256
6cc32472a578d18a65c1e4c0e9f0c78071f1c2e45b8e0a78dbb7ab1f365cf530

SHA512
8983b3c7b3b609fd32dd5abf4c5189281f866a934c03a08610cb761ec75d23a1a3d3bba33f3ace5d515d0ca73aa1cdc304326c674b0ef0f4fc2d516e9fb00dc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-711569230-3659488422-571408806-1000\0f5007522459c86e95ffcc62f32308f1_5fd6b8d9-48b3-42c0-adc7-08f9fe7c965e
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evldawnf\CSC778A97232140473CB899E1F6796357B.TMP
Filesize
1KB

MD5
42aa6767fffbec0a36ea23b2c760ae20

SHA1
5f66210233d4bc4a225885ffc151e447c94c793f

SHA256
f12aafb9b5d7f6d3812227ddd48c70857e581a3baabe450ee12235bc176e2ba4

SHA512
6c51b28b287b86472b1a483369a0fe6b480154026b6ce951f5204fd7467a1b25116936d64e2643f79263bb4445cb5c4cc38e4c978a1419ce7576c00391e2f7ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evldawnf\evldawnf.0.cs
Filesize
3KB

MD5
06227c0bb929f7a77c068fc3755b041c

SHA1
f142b32ffa1f828a9dce64141ea8af44f67a1356

SHA256
3a5840a67ce41aecc62d06ed3e85422aca6e0258df6de0d1696a646dcd059d02

SHA512
52fef4583ecd7516a1807531e0c6ab8747343e2ecf38c89b890a72e0523e6f7c9ac6b7b7f340c879c678e31e0c4fd62d6dd188b6d8d613ced36f5aa5ea66d7ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evldawnf\evldawnf.cmdline
Filesize
312B

MD5
f5b5d64d5970b4ee1743ef9c5a13f308

SHA1
2383c6702127c223aa1ce5d3f448618510782901

SHA256
71e408caf676958f13d8b8da59dfd8db99bdf7d9a0ea53e48660f1e9b662eebb

SHA512
307eee4bb2f8ea4f62593299226a41ec6bac4f1a9cf94ca62aa7da76b508f5683350e24567c98934cb2f391b17167b38b3392cda299a59d73cd10f7a64d2f029

Download Submit
memory/1580-19-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/1580-23-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/1580-17-0x0000000005020000-0x0000000005028000-memory.dmp

Filesize
32KB

Download
memory/1580-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/1580-20-0x0000000005220000-0x000000000524A000-memory.dmp

Filesize
168KB

Download
memory/1580-21-0x0000000005100000-0x000000000510C000-memory.dmp

Filesize
48KB

Download
memory/1580-22-0x0000000005390000-0x0000000005432000-memory.dmp

Filesize
648KB

Download
memory/1580-5-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/1580-1-0x0000000000800000-0x0000000000868000-memory.dmp

Filesize
416KB

Download
memory/1580-29-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/3828-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3828-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3828-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3828-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads