lokibot | f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207

General

Target

e9d26537e90ed16f25562af4e1f32d67.exe
Size

750KB
MD5

e9d26537e90ed16f25562af4e1f32d67
SHA1

12815966f19753f9fa7035179138b449dc0281b3
SHA256

f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
SHA512

0ecb24fe955c34fcf0ec3addb4813302c5fcc9c882ecbfcccb03c1657a94754073247d81d81f556e2ad3907adaa381a4607d12fc69dabd8637e09ba989941b31
SSDEEP

12288:UcrNS33L10QdrXPMztnIQ0oZCkv6JkDTziH4nIAdL+tFiZsQTZjWR7Tyr5W4uO3w:vNA3R5drXPUtI0ZCkvTOUN+tFimQq7TR

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.66.169:5334/drhwttsg/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	e9d26537e90ed16f25562af4e1f32d67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	dxhdxtx.sfx.exe

Executes dropped EXE 4 IoCs

pid	Process
3524	dxhdxtx.sfx.exe
1468	dxhdxtx.exe
2804	dxhdxtx.exe
2240	dxhdxtx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dxhdxtx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dxhdxtx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dxhdxtx.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 2804	1468	dxhdxtx.exe	93
PID 1468 set thread context of 2240	1468	dxhdxtx.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9d26537e90ed16f25562af4e1f32d67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxhdxtx.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	dxhdxtx.exe
Token: SeDebugPrivilege	2804	dxhdxtx.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 4812 wrote to memory of 2116	4812	e9d26537e90ed16f25562af4e1f32d67.exe	85
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 2116 wrote to memory of 3524	2116	cmd.exe	89
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 3524 wrote to memory of 1468	3524	dxhdxtx.sfx.exe	91
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2804	1468	dxhdxtx.exe	93
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94
PID 1468 wrote to memory of 2240	1468	dxhdxtx.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dxhdxtx.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dxhdxtx.exe

C:\Users\Admin\AppData\Local\Temp\e9d26537e90ed16f25562af4e1f32d67.exe
"C:\Users\Admin\AppData\Local\Temp\e9d26537e90ed16f25562af4e1f32d67.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dystsdf.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.sfx.exe
    dxhdxtx.sfx.exe -prftgyhujiksdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeG -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
      "C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        
        C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxhdxtx.exe

Filesize
440KB

MD5
9d97e40f246a22c78416163279aad01a

SHA1
f46fa5fe0e12916f6aaa35a19b0d574e6f998ba5

SHA256
ae5f664f2ea4ee2f17f982ff26c07830731c9538082e4fe0e8c163f74c344fec

SHA512
e526bbe49e74d3ca7585ad69f217d1d8564b01653e16e1b91974d0655e1fd8402283abac9ff5ac3d5691f64bd4683534a741988e2833c4a02788bcdd96c41831

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxhdxtx.sfx.exe

Filesize
603KB

MD5
c262db4467562a1e02020ecdd446458f

SHA1
fb6c57b0a5c8b44b0f6cb72f95b7326e1bf73515

SHA256
86d62d5b64db382099df415cfa3ecf27956a62e11f234d46da39dfdad1e57886

SHA512
ab1f050deab9839b0c7a32a8abff1a759e527ce544d7620e3cfba0ba751414d80cec82d9cfee0de553cc00b73e3935a2455fabbc2bfc9e7f1842397772e73b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\dystsdf.cmd

Filesize
18KB

MD5
bf1a918642590a76003144e08deba52c

SHA1
2b13fb7934e631854bff56137523b943ad9634a9

SHA256
d0e8950b3ded0fed3088d5fc6c5ebbfd71f9ef5d13374d3c1b451b5f9776f032

SHA512
c72e35061477cb4a9633f0f57677afd38722c9c7598cfcc1a7d506e990e7846f55efe89c3cc1a34e689a89842ae76ba190b093c20c7db5ca25470e4dd5c0e578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2077438316-259605770-1264560426-1000\0f5007522459c86e95ffcc62f32308f1_8ed3c59f-d7fe-4993-aee3-a17c2cac2de1

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2077438316-259605770-1264560426-1000\0f5007522459c86e95ffcc62f32308f1_8ed3c59f-d7fe-4993-aee3-a17c2cac2de1

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/1468-23-0x0000000002680000-0x0000000002686000-memory.dmp

Filesize
24KB

Download
memory/1468-25-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/1468-26-0x00000000026E0000-0x00000000026E6000-memory.dmp

Filesize
24KB

Download
memory/1468-27-0x0000000009470000-0x0000000009A14000-memory.dmp

Filesize
5.6MB

Download
memory/1468-28-0x0000000008900000-0x0000000008992000-memory.dmp

Filesize
584KB

Download
memory/1468-24-0x0000000004D30000-0x0000000004DA8000-memory.dmp

Filesize
480KB

Download
memory/1468-22-0x0000000000470000-0x00000000004E6000-memory.dmp

Filesize
472KB

Download
memory/2804-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-54-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2804-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing