lokibot | f89dfd36a241cb191524a3be64415f40130197252df4eb7eca80f4f9f2823eb8

General

Target

purchasing order.exe
Size

639KB
MD5

b7da251d3f98a75ae233d09b17f3d362
SHA1

88a7ef6ba44c82821a2fe302be5ea343c8d58fbc
SHA256

799472ff2ede6b91288e967a805661d7ce186ca8ef7756c4bad3ed548e7c28b7
SHA512

ac88d6bcd3c269a8411337fc6d1f15ad41a2e62cf59727b2749d415db1852c6e1bbff74b9df5d4476930a228155411b375caeba7f440cfae66f9d1c68545677f

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://abixmaly.duckdns.org/binge/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1756-62-0x0000000000570000-0x000000000057B000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

purchasing order.exe

description pid process target process

PID 1756 set thread context of 1164 1756 purchasing order.exe purchasing order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

756 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

purchasing order.exe

pid process

1756 purchasing order.exe
1756 purchasing order.exe
1756 purchasing order.exe
1756 purchasing order.exe
1756 purchasing order.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

purchasing order.exe

pid process

1164 purchasing order.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

purchasing order.exepurchasing order.exe

description pid process

Token: SeDebugPrivilege 1756 purchasing order.exe
Token: SeDebugPrivilege 1164 purchasing order.exe

description	pid	process	target process
PID 1756 set thread context of 1164	1756	purchasing order.exe	purchasing order.exe

pid	process
756	schtasks.exe

pid	process
1756	purchasing order.exe
1756	purchasing order.exe
1756	purchasing order.exe
1756	purchasing order.exe
1756	purchasing order.exe

pid	process
1164	purchasing order.exe

description	pid	process
Token: SeDebugPrivilege	1756	purchasing order.exe
Token: SeDebugPrivilege	1164	purchasing order.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

purchasing order.exe

description	pid	process	target process
PID 1756 wrote to memory of 756	1756	purchasing order.exe	schtasks.exe
PID 1756 wrote to memory of 756	1756	purchasing order.exe	schtasks.exe
PID 1756 wrote to memory of 756	1756	purchasing order.exe	schtasks.exe
PID 1756 wrote to memory of 756	1756	purchasing order.exe	schtasks.exe
PID 1756 wrote to memory of 560	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 560	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 560	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 560	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1068	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1068	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1068	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1068	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe
PID 1756 wrote to memory of 1164	1756	purchasing order.exe	purchasing order.exe

C:\Users\Admin\AppData\Local\Temp\purchasing order.exe
"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gnsJKElkEKKhq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp454.tmp"
2⤵
- Creates scheduled task(s)
PID:756

C:\Users\Admin\AppData\Local\Temp\purchasing order.exe
"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\purchasing order.exe
"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"
2⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\purchasing order.exe
"C:\Users\Admin\AppData\Local\Temp\purchasing order.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp454.tmp
MD5
24d6ef061eacafe08be84565e5514104

SHA1
8886008f25e2ca77fe39d045fb953075ea548991

SHA256
d47d7d35eb889f498ec4cff00e608e2024ad88437e2b4c3ecf376633878d11ac

SHA512
5ffa9d107b7042edccd8538da217a50677fcf7f600e5d73361523245867b45171dd223db1ae11cab31d51b64e8532f26237cc3b49a3abc7e1d26b6e284ac432b

Download Submit
memory/756-65-0x0000000000000000-mapping.dmp

Download
memory/1164-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1164-68-0x00000000004139DE-mapping.dmp

Download
memory/1164-69-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1164-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1756-59-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1756-61-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1756-62-0x0000000000570000-0x000000000057B000-memory.dmp

Filesize
44KB

Download
memory/1756-63-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/1756-64-0x0000000000630000-0x0000000000651000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads