lokibot | 5f8d5465ca543c43e092633df12e87a4c64e1bbe46383696e57363665513e35f

General

Target

RFQ_PDF.exe
Size

961KB
MD5

0a992633e64cdfb5cf4d7e8991ab6a6e
SHA1

2799fc17e93b9b386cf47d4968c7e9a0b95c226d
SHA256

5909649b24c15202df7a9f3f9896396d31d449f8b7e736c076ad771d03267f5b
SHA512

19a1858f99e98f050beb686039f6f0acaef206739376c8d2bd006c6c571f3fcbd00cfd1c84e70deabb92802dfde59dc9abcbf955db3d16269fa0114298877992
SSDEEP

12288:ptb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga2TAo4fPB7aLqPT6A:ptb20pkaCqT5TBWgNQ7aOAo4fP1DT6A

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

https://edgewell.cam/DV2/PWS/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 3144	1952	RFQ_PDF.exe	77

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	1952	WerFault.exe	76

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4236	WINWORD.EXE
4236	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1952	RFQ_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1952	RFQ_PDF.exe
1952	RFQ_PDF.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1952	RFQ_PDF.exe
1952	RFQ_PDF.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4236	WINWORD.EXE
4236	WINWORD.EXE
4236	WINWORD.EXE
4236	WINWORD.EXE
4236	WINWORD.EXE
4236	WINWORD.EXE
4236	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3144	1952	RFQ_PDF.exe	77
PID 1952 wrote to memory of 3144	1952	RFQ_PDF.exe	77
PID 1952 wrote to memory of 3144	1952	RFQ_PDF.exe	77
PID 1952 wrote to memory of 3144	1952	RFQ_PDF.exe	77

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ_PDF.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 756
  2⤵
  - Program crash
  PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1952 -ip 1952
1⤵
PID:4424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4752

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-423582142-4191893794-1888535462-1000\0f5007522459c86e95ffcc62f32308f1_d1198a5f-3a25-4db4-82c8-c6e12a3056f2

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-423582142-4191893794-1888535462-1000\0f5007522459c86e95ffcc62f32308f1_d1198a5f-3a25-4db4-82c8-c6e12a3056f2

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
e661a695f68d43be51e392a5b3dc2a91

SHA1
ca1a1ab1deafff192a1df1439b22a04f0849c05a

SHA256
352f647262bb3563538a5e4df23357ad48dc4f58db4a3f60e9dff9bd1c36508d

SHA512
329c063568e9f43b9c984c518e8184895be8d2e061b94044a8b918e64dc627d5dfca8098e3de162e016b14109bc1cde2de24424c2fcb0e7e8e03faeb82a9bfec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe5cda6a.TMP

Filesize
3KB

MD5
b70101a43b32f88df07da2adbd546ff3

SHA1
62f94479f679c0259f46569a1be393a4531415a7

SHA256
e11b5add3fd72f648fae789a686cf8c48f261d7aa0245ffed7fc3e11b0ee34c6

SHA512
aca686e764dee8a181999c1a5876974e37cab38cabd3081ae94170093e1e1fcb0a5150c283a78d346e082c6539c7b1843069c86757b4a764feab2f0f56fbd65f

Download Submit
memory/1952-10-0x00000000033F0000-0x00000000033F4000-memory.dmp

Filesize
16KB

Download
memory/3144-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3144-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3144-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3144-34-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3144-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4236-85-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-90-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-81-0x00007FFBD0183000-0x00007FFBD0184000-memory.dmp

Filesize
4KB

Download
memory/4236-76-0x00007FFB90170000-0x00007FFB90180000-memory.dmp

Filesize
64KB

Download
memory/4236-84-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-83-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-86-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-82-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-88-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-80-0x00007FFB90170000-0x00007FFB90180000-memory.dmp

Filesize
64KB

Download
memory/4236-89-0x00007FFB8DED0000-0x00007FFB8DEE0000-memory.dmp

Filesize
64KB

Download
memory/4236-87-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-91-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-94-0x00007FFB8DED0000-0x00007FFB8DEE0000-memory.dmp

Filesize
64KB

Download
memory/4236-93-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-95-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-92-0x00007FFBD00E0000-0x00007FFBD02E9000-memory.dmp

Filesize
2.0MB

Download
memory/4236-78-0x00007FFB90170000-0x00007FFB90180000-memory.dmp

Filesize
64KB

Download
memory/4236-79-0x00007FFB90170000-0x00007FFB90180000-memory.dmp

Filesize
64KB

Download
memory/4236-77-0x00007FFB90170000-0x00007FFB90180000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads