lokibot | 00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7

General

Target

c020d8fb46e6f451db2f6b86d4d92235.exe
Size

810KB
MD5

c020d8fb46e6f451db2f6b86d4d92235
SHA1

f7b0b42178d91a54f3e874b97a3c409c00bed229
SHA256

00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
SHA512

4850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://37.0.10.190/3/xwt/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

3372 update.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3372	update.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c020d8fb46e6f451db2f6b86d4d92235.exeupdate.exe

description	pid	process	target process
PID 3872 set thread context of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3372 set thread context of 2032	3372	update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3876 schtasks.exe
3004 schtasks.exe

pid	process
3876	schtasks.exe
3004	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c020d8fb46e6f451db2f6b86d4d92235.exevbc.exeupdate.exe

description	pid	process
Token: SeDebugPrivilege	3872	c020d8fb46e6f451db2f6b86d4d92235.exe
Token: SeDebugPrivilege	3172	vbc.exe
Token: SeDebugPrivilege	3372	update.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

c020d8fb46e6f451db2f6b86d4d92235.execmd.exeupdate.execmd.exe

description	pid	process	target process
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 3172	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	vbc.exe
PID 3872 wrote to memory of 2876	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 3872 wrote to memory of 2876	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 3872 wrote to memory of 2876	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 3872 wrote to memory of 2760	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 3872 wrote to memory of 2760	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 3872 wrote to memory of 2760	3872	c020d8fb46e6f451db2f6b86d4d92235.exe	cmd.exe
PID 2876 wrote to memory of 3876	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 3876	2876	cmd.exe	schtasks.exe
PID 2876 wrote to memory of 3876	2876	cmd.exe	schtasks.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 2032	3372	update.exe	vbc.exe
PID 3372 wrote to memory of 1916	3372	update.exe	cmd.exe
PID 3372 wrote to memory of 1916	3372	update.exe	cmd.exe
PID 3372 wrote to memory of 1916	3372	update.exe	cmd.exe
PID 3372 wrote to memory of 1992	3372	update.exe	cmd.exe
PID 3372 wrote to memory of 1992	3372	update.exe	cmd.exe
PID 3372 wrote to memory of 1992	3372	update.exe	cmd.exe
PID 1916 wrote to memory of 3004	1916	cmd.exe	schtasks.exe
PID 1916 wrote to memory of 3004	1916	cmd.exe	schtasks.exe
PID 1916 wrote to memory of 3004	1916	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe
"C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c020d8fb46e6f451db2f6b86d4d92235.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
2⤵
PID:2760

C:\Users\Admin\AppData\Roaming\update\update.exe
C:\Users\Admin\AppData\Roaming\update\update.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
2⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
c020d8fb46e6f451db2f6b86d4d92235

SHA1
f7b0b42178d91a54f3e874b97a3c409c00bed229

SHA256
00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7

SHA512
4850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
c020d8fb46e6f451db2f6b86d4d92235

SHA1
f7b0b42178d91a54f3e874b97a3c409c00bed229

SHA256
00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7

SHA512
4850824cef591d57754818de1e9d93d50e6dfde215dadfb4007f4d8f0416e8cb037b2c25838f3c6920f271087c3dcc872fe73c61eae7bc4039414f310dd08e50

Download Submit
memory/1916-141-0x0000000000000000-mapping.dmp

Download
memory/1992-142-0x0000000000000000-mapping.dmp

Download
memory/2032-140-0x00000000004139DE-mapping.dmp

Download
memory/2760-128-0x0000000000000000-mapping.dmp

Download
memory/2876-127-0x0000000000000000-mapping.dmp

Download
memory/3004-143-0x0000000000000000-mapping.dmp

Download
memory/3172-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3172-125-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3172-124-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3172-123-0x00000000004139DE-mapping.dmp

Download
memory/3172-122-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3372-138-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/3372-132-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3872-121-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3872-115-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/3872-120-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/3872-119-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3872-118-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3872-117-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3876-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads