lokibot | 07a06726b001214b35d0adc289dcf0b31c2aedbde4700f6e8f14135550e66b65

General

Target

Ship88912.exe
Size

1.1MB
MD5

c253e553c97f0a6295948eb14a83ac1e
SHA1

fe268438c44460810bf807023f5f0d7ddbfd1b3d
SHA256

10b64ef8b15aa2fb82dabc075926b0810bdbe60c528ee82d75d0c01c32ddcb76
SHA512

80d6b74f211a3e58497a6107c16e25664c90a0afc4740107a09307c8411de9b3fc4d33badbc69cbaee8727b5b954cf1862ea7eb7b5a93fed99b05db9788a048a
SSDEEP

24576:zglru6TUwOeILMLEle0wyPcPtvA9njXORV97TlWR3VoRVFtPaKTF2VvdwSfv:cSIE0OvWTktiLFPFYmgv

Score

10^/10

lokibot discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://joombus.duckdns.org/loko/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Executes dropped EXE 1 IoCs

pid	Process
2796	Shysce.exe

Loads dropped DLL 5 IoCs

pid	Process
1704	Ship88912.exe
1704	Ship88912.exe
1704	Ship88912.exe
1704	Ship88912.exe
1704	Ship88912.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2744	2796	Shysce.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1656	2744	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ship88912.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shysce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TapiUnattend.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2796	Shysce.exe
2796	Shysce.exe
2796	Shysce.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2796	1704	Ship88912.exe	30
PID 1704 wrote to memory of 2796	1704	Ship88912.exe	30
PID 1704 wrote to memory of 2796	1704	Ship88912.exe	30
PID 1704 wrote to memory of 2796	1704	Ship88912.exe	30
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2796 wrote to memory of 2744	2796	Shysce.exe	31
PID 2744 wrote to memory of 1656	2744	TapiUnattend.exe	32
PID 2744 wrote to memory of 1656	2744	TapiUnattend.exe	32
PID 2744 wrote to memory of 1656	2744	TapiUnattend.exe	32
PID 2744 wrote to memory of 1656	2744	TapiUnattend.exe	32

C:\Users\Admin\AppData\Local\Temp\Ship88912.exe
"C:\Users\Admin\AppData\Local\Temp\Ship88912.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Shysce.exe
  "C:\Users\Admin\AppData\Roaming\Shysce.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\TapiUnattend.exe
    "C:\Windows\System32\TapiUnattend.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 120
      4⤵
      Program crash
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Shy.bmp

Filesize
1.1MB

MD5
b817e365e36caf8ee342f7a70b07b209

SHA1
accf28a2d6aec54596655ee73387f845e07d7659

SHA256
cd53f5dc502fd9b548f0208e70afa34a245fa952f22e9510197f0f7d823f0d2c

SHA512
b0c5cf2cea2b8e63bac7ef9651304915dd3c04fde69fc7e21c161940dcfd3165bcf468b70b682b852333521b72065ec8511bb58cfb16c02d8ce2db5390f65455

Download Submit
\Users\Admin\AppData\Roaming\Shysce.exe

Filesize
423KB

MD5
151c4e186fe93ef13df0d5c7fae4f45b

SHA1
e72affd99f609a9e6900079a2e897f8dbd80196a

SHA256
870613ac3bae1a62b6279960cd0ce8fbecc49ed303388c6bd9971948777900ba

SHA512
3fb1198836fa5bf7e8953f5467d6f28beb58d3648525e78857342acf7394f8b48b809d51659775fbbc69e9866bdd39dcb4a0b71e209b8ee0b514e3e3c7834f39

Download Submit
memory/2744-27-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2744-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-31-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2744-34-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2796-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-22-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2796-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing