lokibot | 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

General

Target

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
Size

271KB
MD5

6d6e6d27380ce69f043be7dc379fbf15
SHA1

7078801fbf3ef2523958b0431a56a07a9002d1e9
SHA256

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6
SHA512

36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f
SSDEEP

3072:ztaqL0wY0edtH7iebY4iEixttdmdsbKvLcL5QpH4Z7i9ZcaPri2mn:Bmb9bUDmybjGqi+2m

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://timmason2.com/demoami/demoami/iu/y/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

2204 svhost.exe

pid	process
2204	svhost.exe

Loads dropped DLL 2 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

pid	process
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

description	pid	process	target process
PID 2016 set thread context of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe:Zone.Identifier cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

pid	process
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

description pid process

Token: SeDebugPrivilege 2016 5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

description	pid	process
Token: SeDebugPrivilege	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 2008	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 2016 wrote to memory of 2008	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 2016 wrote to memory of 2008	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 2016 wrote to memory of 2008	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	cmd.exe
PID 2008 wrote to memory of 2188	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 2188	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 2188	2008	cmd.exe	reg.exe
PID 2008 wrote to memory of 2188	2008	cmd.exe	reg.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe
PID 2016 wrote to memory of 2204	2016	5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe
"C:\Users\Admin\AppData\Local\Temp\5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\txi7\tzt7.exe.lnk" /f
    3⤵
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Roaming\txi7\tzt7.exe

Filesize
271KB

MD5
6d6e6d27380ce69f043be7dc379fbf15

SHA1
7078801fbf3ef2523958b0431a56a07a9002d1e9

SHA256
5d7865a5bf7fab4231f56e3794a271a297667e1a9bdf0d3c9615a3a30475e3c6

SHA512
36d521333c8bb5bebae18a838629bbbc40cb5ec6922b823d2298ccd83c0808311407cc88ae7f22bd0722261a6b2a9372891cdacd9ba10398cdb48f777480209f

Download Submit
memory/2016-0-0x0000000074091000-0x0000000074092000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-2-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-24-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-13-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2204-22-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2204-16-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2204-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-14-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2204-15-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2204-17-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads