lokibot | a987537a3eed5febba6fb3d7b560bc7df89d28d2f141dc6d0350fc67f603fc0f

General

Target

swift.exe
Size

1.0MB
MD5

1eeb57c0877a06d18aa028e87d5158b4
SHA1

d086921faba08c2600d862b680b70a53a3bfb88e
SHA256

d8c8496ad93779966bb498f8749bae4b6cdf2e1bd46c75a341e81a19fefde4a3
SHA512

16303c9bcedbfe4c5d6c953e39a98014d7f355e1c6413f960094840fb9e7f581832cc54a0557cc81e3e212f48c82d6897bcbaa4bc3fdecb72043757349f153b1
SSDEEP

24576:zglru6TUwOFJqxotNMKoGAIp7WfJ8H7bDdwb6ju63uNF+:cSva65pE8XDVaNw

Score

10^/10

lokibot collection credential_access discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://djanic.duckdns.org/fashion/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	swift.exe

Executes dropped EXE 1 IoCs

pid	Process
3788	Jpxquhr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	TapiUnattend.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	TapiUnattend.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	TapiUnattend.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jpxq = "C:\\Users\\Admin\\AppData\\Local\\Jpxq\\Jpxq_setko.hta"	Jpxquhr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 4344	3788	Jpxquhr.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swift.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpxquhr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TapiUnattend.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe
3788	Jpxquhr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	TapiUnattend.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 3788	1396	swift.exe	94
PID 1396 wrote to memory of 3788	1396	swift.exe	94
PID 1396 wrote to memory of 3788	1396	swift.exe	94
PID 3788 wrote to memory of 4344	3788	Jpxquhr.exe	96
PID 3788 wrote to memory of 4344	3788	Jpxquhr.exe	96
PID 3788 wrote to memory of 4344	3788	Jpxquhr.exe	96
PID 3788 wrote to memory of 4344	3788	Jpxquhr.exe	96
PID 3788 wrote to memory of 4344	3788	Jpxquhr.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	TapiUnattend.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	TapiUnattend.exe

C:\Users\Admin\AppData\Local\Temp\swift.exe
"C:\Users\Admin\AppData\Local\Temp\swift.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe
  "C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\TapiUnattend.exe
    "C:\Windows\System32\TapiUnattend.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4240,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jpxq

Filesize
581KB

MD5
625f27cb29149f99eb93735d15e69d80

SHA1
6e1ceb59b5f2985753cf4b9331fd0b5ee7d606a6

SHA256
864d203102cd402deb72fbf66b27fb288d8cd3cb0b1cd879c13cc31aa904bdc6

SHA512
64e3ea68f6c27d57b9a10b8e0ccb1b439bda38621d04cae08d787506dd07f49517a94852597c72c4a0061d155369bf2881b01ed7c93f7a3dbc9ed339a153bd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpxquhr.exe

Filesize
852KB

MD5
6a8b19b1a958e846116ffe3ea5ca5cd6

SHA1
c6b75c86600d47b686e4f10b09810b6583b4843e

SHA256
feec0a596b7e08a8221650ae960b986ccc7e4634db6257c66325e8d2fdc7b04c

SHA512
037306796aa558cadaebfbe5ba6bfb8a0e4ad83976269a5ab693306842aa7e58470d2957400b75e94a683a0cfe9ed11b83311d754b72a4c3d22cd1cb08b00e3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2170637797-568393320-3232933035-1000\0f5007522459c86e95ffcc62f32308f1_76278eb0-9988-43b4-9423-af5897ebbcb4

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/3788-11-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/3788-47-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4344-21-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4344-23-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4344-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4344-45-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads