lokibot | 07a06726b001214b35d0adc289dcf0b31c2aedbde4700f6e8f14135550e66b65

General

Target

Ship88912.exe
Size

1.1MB
MD5

c253e553c97f0a6295948eb14a83ac1e
SHA1

fe268438c44460810bf807023f5f0d7ddbfd1b3d
SHA256

10b64ef8b15aa2fb82dabc075926b0810bdbe60c528ee82d75d0c01c32ddcb76
SHA512

80d6b74f211a3e58497a6107c16e25664c90a0afc4740107a09307c8411de9b3fc4d33badbc69cbaee8727b5b954cf1862ea7eb7b5a93fed99b05db9788a048a
SSDEEP

24576:zglru6TUwOeILMLEle0wyPcPtvA9njXORV97TlWR3VoRVFtPaKTF2VvdwSfv:cSIE0OvWTktiLFPFYmgv

Score

10^/10

lokibot discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://joombus.duckdns.org/loko/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Ship88912.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	Shysce.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 3352	3568	Shysce.exe	91
PID 3568 set thread context of 680	3568	Shysce.exe	96
PID 3568 set thread context of 4160	3568	Shysce.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1384	3352	WerFault.exe	91
2432	680	WerFault.exe	96
4784	4160	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shysce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ship88912.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe
3568	Shysce.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3568	4932	Ship88912.exe	82
PID 4932 wrote to memory of 3568	4932	Ship88912.exe	82
PID 4932 wrote to memory of 3568	4932	Ship88912.exe	82
PID 3568 wrote to memory of 3352	3568	Shysce.exe	91
PID 3568 wrote to memory of 3352	3568	Shysce.exe	91
PID 3568 wrote to memory of 3352	3568	Shysce.exe	91
PID 3568 wrote to memory of 3352	3568	Shysce.exe	91
PID 3568 wrote to memory of 3352	3568	Shysce.exe	91
PID 3568 wrote to memory of 2828	3568	Shysce.exe	95
PID 3568 wrote to memory of 2828	3568	Shysce.exe	95
PID 3568 wrote to memory of 2828	3568	Shysce.exe	95
PID 3568 wrote to memory of 680	3568	Shysce.exe	96
PID 3568 wrote to memory of 680	3568	Shysce.exe	96
PID 3568 wrote to memory of 680	3568	Shysce.exe	96
PID 3568 wrote to memory of 680	3568	Shysce.exe	96
PID 3568 wrote to memory of 680	3568	Shysce.exe	96
PID 3568 wrote to memory of 4160	3568	Shysce.exe	99
PID 3568 wrote to memory of 4160	3568	Shysce.exe	99
PID 3568 wrote to memory of 4160	3568	Shysce.exe	99
PID 3568 wrote to memory of 4160	3568	Shysce.exe	99
PID 3568 wrote to memory of 4160	3568	Shysce.exe	99

C:\Users\Admin\AppData\Local\Temp\Ship88912.exe
"C:\Users\Admin\AppData\Local\Temp\Ship88912.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Roaming\Shysce.exe
  "C:\Users\Admin\AppData\Roaming\Shysce.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\TapiUnattend.exe
    "C:\Windows\System32\TapiUnattend.exe"
    3⤵
    PID:3352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 352
      4⤵
      Program crash
      PID:1384
- - C:\Windows\SysWOW64\sethc.exe
    "C:\Windows\System32\sethc.exe"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 356
      4⤵
      Program crash
      PID:2432
- - C:\Windows\SysWOW64\sxstrace.exe
    "C:\Windows\System32\sxstrace.exe"
    3⤵
    PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 360
      4⤵
      Program crash
      PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3352 -ip 3352
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 680 -ip 680
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4160 -ip 4160
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Shy.bmp

Filesize
1.1MB

MD5
b817e365e36caf8ee342f7a70b07b209

SHA1
accf28a2d6aec54596655ee73387f845e07d7659

SHA256
cd53f5dc502fd9b548f0208e70afa34a245fa952f22e9510197f0f7d823f0d2c

SHA512
b0c5cf2cea2b8e63bac7ef9651304915dd3c04fde69fc7e21c161940dcfd3165bcf468b70b682b852333521b72065ec8511bb58cfb16c02d8ce2db5390f65455

Download Submit
C:\Users\Admin\AppData\Roaming\Shysce.exe

Filesize
423KB

MD5
151c4e186fe93ef13df0d5c7fae4f45b

SHA1
e72affd99f609a9e6900079a2e897f8dbd80196a

SHA256
870613ac3bae1a62b6279960cd0ce8fbecc49ed303388c6bd9971948777900ba

SHA512
3fb1198836fa5bf7e8953f5467d6f28beb58d3648525e78857342acf7394f8b48b809d51659775fbbc69e9866bdd39dcb4a0b71e209b8ee0b514e3e3c7834f39

Download Submit
memory/3352-21-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3352-23-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3568-14-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3568-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3568-16-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3568-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing