lokibot | 301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d

General

Target

301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
Size

148KB
MD5

ca44a3a8334d049e806e9e02f2c764f8
SHA1

4484b6795336e063747d7157cfddd15c7c218ca6
SHA256

301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d
SHA512

5404d0f741e65937bdd0c0ec077fda9a3681b7bc6e12a579e8129e1ccc10aa53d0a47bba0f0bd7298cffc10efb19f4f4eec233e3cf2d0750d5545b9ab98cc73a

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://103.194.170.48/update/GISVOUH/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe

description pid process target process

PID 1044 set thread context of 1496 1044 301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe

pid process

1044 301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
1044 301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exevbc.exe

description pid process

Token: SeDebugPrivilege 1044 301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
Token: SeDebugPrivilege 1496 vbc.exe

description	pid	process	target process
PID 1044 set thread context of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe

pid	process
1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe

description	pid	process
Token: SeDebugPrivilege	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
Token: SeDebugPrivilege	1496	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.execsc.exe

description	pid	process	target process
PID 1044 wrote to memory of 1264	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	csc.exe
PID 1044 wrote to memory of 1264	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	csc.exe
PID 1044 wrote to memory of 1264	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	csc.exe
PID 1044 wrote to memory of 1264	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	csc.exe
PID 1264 wrote to memory of 1560	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 1560	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 1560	1264	csc.exe	cvtres.exe
PID 1264 wrote to memory of 1560	1264	csc.exe	cvtres.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe
PID 1044 wrote to memory of 1496	1044	301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
"C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlbqtnfp\mlbqtnfp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B8.tmp" "c:\Users\Admin\AppData\Local\Temp\mlbqtnfp\CSC9D09ADFD58D04D44ADA9144ED2EAC6F.TMP"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0B8.tmp
MD5
7f8db0b4209ab8144713bb1fe0b9b2b1

SHA1
18b5b328c4619da360c8fac639c408952a6740d4

SHA256
ea6ae51f187a6492442dbdef21cacddc8f9fe6cb703d5e39503ed1cf0729eefa

SHA512
e1c36a99eff682d9fc5c294fc473ec05d9e965af2d77e17c5ee97b4f2030e71d84c704cffa3fdddb16d5e7373a8d141fd64b358fe7df27660b54a1c19813659c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbqtnfp\mlbqtnfp.dll
MD5
ee1bc61701bcc806393524ac4423d434

SHA1
e3f8d69a218d0b49abd6bd881ba6a551a04ce693

SHA256
4cf0bc235d31fe26ee140a4a0c25af9d8b0ef2e59f1199b262940b5cd890b4c1

SHA512
8d014ede936708e5ffe1ba8ed5e69ae3632fa6bcd796c332f9140a87e6d2117cdd679ec551ea6800b477e5ade59f23c10449528bd849e59fb8d69758185e597b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbqtnfp\mlbqtnfp.pdb
MD5
0f914153fbbfa54391e87e066e013da2

SHA1
8787211a5959c04c3c74d392811ca81fbc7a840f

SHA256
31764ab8b959198fb1d0646fcf9d824ee6409f1bc77d5311ff2dc5d73b5d8ab0

SHA512
768702420a4175ba1e1a4071b71c3855053eab294a6c03ba320beaba48cef15d17a55d122bc7f80cd5de87be721df847d9a55c49c0972153ee945706a66e8088

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlbqtnfp\CSC9D09ADFD58D04D44ADA9144ED2EAC6F.TMP
MD5
9fdb4524429b57acf4179960f6e7d89a

SHA1
3ce7f94b44761dc726ba317c53dce66c1f5e558e

SHA256
44777b0d9307a1899fd4b39286b06c6ead1811babd667e2adea2a9b76fc2720e

SHA512
b8a4d77b73ed1cad1b89701a95c7fa4ca751b1f1160f5ee047465717efd25033b7880381b72071e739f9896cdc7af22335944695625bb4b963aa0a82219bdf55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlbqtnfp\mlbqtnfp.0.cs
MD5
63d773f21162ad8964b0b6195aa7b99c

SHA1
bd17198070deb92e57acd6d70771bea4de3cf0c3

SHA256
59d178be1e411f4a487ec04ed9c216f4c4f0701adfcd28c561492ac55c625fba

SHA512
ea57f2f22afb7c461859afa85a3702ef881d56adc9a54f6b8f9003d11c1adff6addaa4c521fd65283d33229c8676921db2919ea7c945c8920465a370081e060c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlbqtnfp\mlbqtnfp.cmdline
MD5
4efd3abc9dcf8355dea11c644a9c8b6e

SHA1
204b84460f261eb8cb5f90dc93d9c77a1be6ddf0

SHA256
3e490fb12cd9256e2d9a2a5603cf18e8dbe65e807d1feaffc66892cfa288777f

SHA512
1d138968ebf3ec3bd502b9ddfa8e8c4132bec35793c2d60c3ce30bbe1d0211b30fee06bebfda935c52baccddbd167af211ab2ba7a6863cd471e179a89e29a940

Download Submit
memory/1044-67-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1044-54-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/1044-68-0x0000000000690000-0x00000000006AA000-memory.dmp

Filesize
104KB

Download
memory/1044-56-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1044-65-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/1044-66-0x00000000004B0000-0x00000000004D4000-memory.dmp

Filesize
144KB

Download
memory/1264-57-0x0000000000000000-mapping.dmp

Download
memory/1496-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1496-70-0x00000000004139DE-mapping.dmp

Download
memory/1496-71-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1496-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1560-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing