lokibot | 2706cd9c8993267a695a8580ff5987c821093bfea0de05b561a98ac020b373ee

General

Target

PO2021.27.07.exe
Size

851KB
MD5

acef407cd9b335c0c1ca6582aef98d35
SHA1

28569bb0962cbe06d1344a61aa8c426746494632
SHA256

2706cd9c8993267a695a8580ff5987c821093bfea0de05b561a98ac020b373ee
SHA512

3a4802a7b378a8b3cfdfcc1bff108756d3cf30a4d9218fdcfcc55000093a3a2951bb0238d6ab199eade72966984446ffd4120fa6b69ba1df30f8f1900cfc856c

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://192.236.179.121/new/zubby/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/620-121-0x0000000002430000-0x000000000243B000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO2021.27.07.exe

description pid process target process

PID 620 set thread context of 2196 620 PO2021.27.07.exe PO2021.27.07.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PO2021.27.07.exe

pid process

620 PO2021.27.07.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

PO2021.27.07.exe

pid process

2196 PO2021.27.07.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO2021.27.07.exePO2021.27.07.exe

description pid process

Token: SeDebugPrivilege 620 PO2021.27.07.exe
Token: SeDebugPrivilege 2196 PO2021.27.07.exe

description	pid	process	target process
PID 620 set thread context of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe

pid	process
3824	schtasks.exe

pid	process
620	PO2021.27.07.exe

pid	process
2196	PO2021.27.07.exe

description	pid	process
Token: SeDebugPrivilege	620	PO2021.27.07.exe
Token: SeDebugPrivilege	2196	PO2021.27.07.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO2021.27.07.exe

description	pid	process	target process
PID 620 wrote to memory of 3824	620	PO2021.27.07.exe	schtasks.exe
PID 620 wrote to memory of 3824	620	PO2021.27.07.exe	schtasks.exe
PID 620 wrote to memory of 3824	620	PO2021.27.07.exe	schtasks.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe
PID 620 wrote to memory of 2196	620	PO2021.27.07.exe	PO2021.27.07.exe

C:\Users\Admin\AppData\Local\Temp\PO2021.27.07.exe
"C:\Users\Admin\AppData\Local\Temp\PO2021.27.07.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cZuUfhTy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B3C.tmp"
2⤵
- Creates scheduled task(s)
PID:3824

C:\Users\Admin\AppData\Local\Temp\PO2021.27.07.exe
"C:\Users\Admin\AppData\Local\Temp\PO2021.27.07.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7B3C.tmp
MD5
dba0efecec52c4c7d78cc28da721b25e

SHA1
735e651dde008d5ccec5cd1b2031ceed968ca27e

SHA256
156ceaee4634055c582cf0ee660569a3b473954df044a669d1c4fd95b83008be

SHA512
a5ebad3ce21616490f72724830f50a84b4b79a879873474f0090bf865ae77dc643d78cef4b5794b7ed860ad41bf6a6aa622941b3062a09f7e76c2fd081bb50a6

Download Submit
memory/620-121-0x0000000002430000-0x000000000243B000-memory.dmp

Filesize
44KB

Download
memory/620-117-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/620-118-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/620-119-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/620-120-0x0000000006E60000-0x000000000735E000-memory.dmp

Filesize
5.0MB

Download
memory/620-114-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/620-122-0x0000000004A50000-0x0000000004AB6000-memory.dmp

Filesize
408KB

Download
memory/620-123-0x0000000004AD0000-0x0000000004AF1000-memory.dmp

Filesize
132KB

Download
memory/620-116-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/2196-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2196-127-0x00000000004139DE-mapping.dmp

Download
memory/2196-128-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3824-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads