lokibot | 3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

Analysis

max time kernel
46s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-12-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
Size

851KB
MD5

84a4e8581550b0634e38d3218813ac79
SHA1

1005f9154fb27c448ce8e39646b2da1fc010942e
SHA256

1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d
SHA512

0c924c0763f9bec6c7de3f303263436c8c63ff40682966feb04ffa54eb282aabe5d52a8d5dbffd417666f0a7d77d25eb24956a853616dfed24c79c278e9dd5a9
SSDEEP

12288:y4xTxt9ivc50KsBNgK10IJkHKqZrDgSQlOnvgfEunph:3FivcRsBVBJyZX28n2

Score

10^/10

lokibot collection discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://192.64.118.167/profile.php?id=oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Lokibot family
lokibot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
6020	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
Token: SeDebugPrivilege	6020	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 2824	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	77
PID 5040 wrote to memory of 2824	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	77
PID 5040 wrote to memory of 2824	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	77
PID 5040 wrote to memory of 2044	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	78
PID 5040 wrote to memory of 2044	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	78
PID 5040 wrote to memory of 2044	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	78
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79
PID 5040 wrote to memory of 6020	5040	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe	79

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe

C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
"C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
  "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
  "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe
  "C:\Users\Admin\AppData\Local\Temp\1aa85c5026608d04abec7b7af789f3b5e28c59064733c0efdb942a543926558d.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
memory/5040-10-0x000000000AAB0000-0x000000000AB2A000-memory.dmp

Filesize
488KB

Download
memory/5040-8-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5040-9-0x0000000008400000-0x000000000840C000-memory.dmp

Filesize
48KB

Download
memory/5040-4-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/5040-5-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5040-6-0x00000000083E0000-0x00000000083F8000-memory.dmp

Filesize
96KB

Download
memory/5040-7-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/5040-19-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/5040-3-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/5040-2-0x0000000005A20000-0x0000000005FC6000-memory.dmp

Filesize
5.6MB

Download
memory/5040-12-0x000000000ACE0000-0x000000000AD46000-memory.dmp

Filesize
408KB

Download
memory/5040-11-0x000000000ABD0000-0x000000000AC6C000-memory.dmp

Filesize
624KB

Download
memory/5040-13-0x000000000AB30000-0x000000000AB52000-memory.dmp

Filesize
136KB

Download
memory/5040-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/5040-1-0x00000000008E0000-0x00000000009BC000-memory.dmp

Filesize
880KB

Download
memory/6020-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/6020-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/6020-16-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/6020-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download