lokibot | d53b16bb54e10bada1347a25db1ebc090d5822bf6285dc3d707bf4abb65e3ab5

General

Target

SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
Size

331KB
MD5

b387b2bde14ad35ce0fea34ab540db93
SHA1

2ee731cecbf4dc498fa31705060fb5c8d258e015
SHA256

d53b16bb54e10bada1347a25db1ebc090d5822bf6285dc3d707bf4abb65e3ab5
SHA512

6af60c0c30fc70bc161cd1e8020a6f45c24e4edab3faace08dc3c85eb5b826e00dbd0b7a7c7a3e37a2e1eb50f8c59517d3e42335aeaf208256544fa6131814d6

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

uhyqikys.exeuhyqikys.exe

pid process

1040 uhyqikys.exe
656 uhyqikys.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.16115.exeuhyqikys.exe

pid process

1332 SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
1040 uhyqikys.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1040	uhyqikys.exe
656	uhyqikys.exe

pid	process
1332	SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
1040	uhyqikys.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

uhyqikys.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	uhyqikys.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uhyqikys.exe
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uhyqikys.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

uhyqikys.exe

description pid process target process

PID 1040 set thread context of 656 1040 uhyqikys.exe uhyqikys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

uhyqikys.exe

description pid process

Token: SeDebugPrivilege 656 uhyqikys.exe

description	pid	process	target process
PID 1040 set thread context of 656	1040	uhyqikys.exe	uhyqikys.exe

description	pid	process
Token: SeDebugPrivilege	656	uhyqikys.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware2.16115.exeuhyqikys.exe

description	pid	process	target process
PID 1332 wrote to memory of 1040	1332	SecuriteInfo.com.W32.AIDetect.malware2.16115.exe	uhyqikys.exe
PID 1332 wrote to memory of 1040	1332	SecuriteInfo.com.W32.AIDetect.malware2.16115.exe	uhyqikys.exe
PID 1332 wrote to memory of 1040	1332	SecuriteInfo.com.W32.AIDetect.malware2.16115.exe	uhyqikys.exe
PID 1332 wrote to memory of 1040	1332	SecuriteInfo.com.W32.AIDetect.malware2.16115.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe
PID 1040 wrote to memory of 656	1040	uhyqikys.exe	uhyqikys.exe

outlook_office_path 1 IoCs

Processes:

uhyqikys.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	uhyqikys.exe

outlook_win_path 1 IoCs

Processes:

uhyqikys.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	uhyqikys.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.16115.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.16115.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe C:\Users\Admin\AppData\Local\Temp\qitdbbj
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe C:\Users\Admin\AppData\Local\Temp\qitdbbj
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9el21ap69a71ih
MD5
e93bda648ded0ad7079f19b4b0bb428a

SHA1
801a7ddf7d5fdc980764aa7d356c34b087fbe3f2

SHA256
84355aeeeda66ba08a27ad5c15df27b6bc87f4b370b1205f5938a33483ab0813

SHA512
33beb1fa0c964509e2bb8022a22376135e5fccf2f98e0d554e60f0ff448e3a5a11823ac69c5d2f22ab58ea852b8131b4b76497e7f6faec7d74a980641596cd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\qitdbbj
MD5
67b72c0ea3cb0e106fcaed602d0c8559

SHA1
7119802e2a9377ce5729f0f7b8d415e1ecedd339

SHA256
9219be699e628fb7f8404ee6f69c3e7eb9a1de73fea59cbc30b249d8b6658015

SHA512
75d72a45de2dec4173e44e60cdb4fde2a0b634652bfeca7567a0233a3ee5a909ab5b658c03b34d7d130d409a98b0438d06a2413956351011188d33514ebb7782

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe
MD5
c1a3d57ddb6e5f84efed0b3122b8eff4

SHA1
09fc67e2184549999aaccdd4f1a48b48b2e77f78

SHA256
0efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5

SHA512
3b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe
MD5
c1a3d57ddb6e5f84efed0b3122b8eff4

SHA1
09fc67e2184549999aaccdd4f1a48b48b2e77f78

SHA256
0efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5

SHA512
3b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhyqikys.exe
MD5
c1a3d57ddb6e5f84efed0b3122b8eff4

SHA1
09fc67e2184549999aaccdd4f1a48b48b2e77f78

SHA256
0efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5

SHA512
3b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a

Download Submit
\Users\Admin\AppData\Local\Temp\uhyqikys.exe
MD5
c1a3d57ddb6e5f84efed0b3122b8eff4

SHA1
09fc67e2184549999aaccdd4f1a48b48b2e77f78

SHA256
0efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5

SHA512
3b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a

Download Submit
\Users\Admin\AppData\Local\Temp\uhyqikys.exe
MD5
c1a3d57ddb6e5f84efed0b3122b8eff4

SHA1
09fc67e2184549999aaccdd4f1a48b48b2e77f78

SHA256
0efaa0c4088494696884b373c8874ffc33485da2513b01002671e4d649ea98e5

SHA512
3b6255abee878f0c29d1aefc54fe8b16cc94694aa388898ae5fbf33463a211a9a3a7325b39d5b2d242d4c4950341d6787d48e970d4f2b8b1d2d347307bcb7d7a

Download Submit
memory/656-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/656-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1332-55-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads