lokibot | 1abfb687c7a8ce81da6ac312940fa5f59dcc62cd953abed9f834b0e7d3866677

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

610KB
MD5

fcb454d6c9e847dce8648ef9feb461ae
SHA1

dfcd666c00e85a1e9f9a484396ddbf59673d3ad0
SHA256

1abfb687c7a8ce81da6ac312940fa5f59dcc62cd953abed9f834b0e7d3866677
SHA512

a70d1ff91a5dce38b47bdfa09373a46526990e1f449fcddebb08a5f7bf0a21b3d7551e118f7af8bfacd360d0b4090dad262af951ca2e616354bad30fb0624392
SSDEEP

12288:8pahc5wOevADY1HQqfNGdRYoix0VYWsX0imyfK3:8Zd4GGHFfNGYoM8sXseK3

Score

10^/10

lokibot discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://meridianresourcellc.top/document/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

MalwareBazaar.exe

description pid process target process

PID 2624 set thread context of 1988 2624 MalwareBazaar.exe MalwareBazaar.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MalwareBazaar.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe

description	pid	process	target process
PID 2624 set thread context of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

MalwareBazaar.exe

description	pid	process	target process
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe
PID 2624 wrote to memory of 1988	2624	MalwareBazaar.exe	MalwareBazaar.exe

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
2⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1988-8-0x0000000000900000-0x00000000009A2000-memory.dmp

Filesize
648KB

Download
memory/2624-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/2624-1-0x0000000000F20000-0x0000000000FBE000-memory.dmp

Filesize
632KB

Download
memory/2624-2-0x0000000005920000-0x000000000596E000-memory.dmp

Filesize
312KB

Download
memory/2624-3-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/2624-4-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/2624-5-0x0000000005BB0000-0x0000000005C4C000-memory.dmp

Filesize
624KB

Download
memory/2624-6-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2624-7-0x0000000005A40000-0x0000000005A48000-memory.dmp

Filesize
32KB

Download
memory/2624-11-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download