lokibot | 7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19

General

Target

8c7e9d4d5f172854a531a86d34af2c8c.exe
Size

123KB
MD5

8c7e9d4d5f172854a531a86d34af2c8c
SHA1

43d99c2bf4d5fce1b640b4ee65b234ced6292c35
SHA256

7eaffbf0e048501f710bef50d95d59870d638c7e64225397f1ae1d03014c8b19
SHA512

d8b28dd232248da57d2762363661a80762c17822baff5d1a3efdd4ae1e160b6a85f77d9f5a09e1ebe0b653e8dbdbde65b36c08873a8d8ed5bfb3a9d48c865c5c

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://37.0.11.227/sarag/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

dtlrkp.exedtlrkp.exe

pid process

3412 dtlrkp.exe
4160 dtlrkp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3412	dtlrkp.exe
4160	dtlrkp.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dtlrkp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dtlrkp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dtlrkp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dtlrkp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dtlrkp.exe

description pid process target process

PID 3412 set thread context of 4160 3412 dtlrkp.exe dtlrkp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dtlrkp.exe

description pid process

Token: SeDebugPrivilege 4160 dtlrkp.exe

description	pid	process	target process
PID 3412 set thread context of 4160	3412	dtlrkp.exe	dtlrkp.exe

description	pid	process
Token: SeDebugPrivilege	4160	dtlrkp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8c7e9d4d5f172854a531a86d34af2c8c.exedtlrkp.exe

description	pid	process	target process
PID 3520 wrote to memory of 3412	3520	8c7e9d4d5f172854a531a86d34af2c8c.exe	dtlrkp.exe
PID 3520 wrote to memory of 3412	3520	8c7e9d4d5f172854a531a86d34af2c8c.exe	dtlrkp.exe
PID 3520 wrote to memory of 3412	3520	8c7e9d4d5f172854a531a86d34af2c8c.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe
PID 3412 wrote to memory of 4160	3412	dtlrkp.exe	dtlrkp.exe

outlook_office_path 1 IoCs

Processes:

dtlrkp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dtlrkp.exe

outlook_win_path 1 IoCs

Processes:

dtlrkp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dtlrkp.exe

C:\Users\Admin\AppData\Local\Temp\8c7e9d4d5f172854a531a86d34af2c8c.exe
"C:\Users\Admin\AppData\Local\Temp\8c7e9d4d5f172854a531a86d34af2c8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe C:\Users\Admin\AppData\Local\Temp\hzuplybmb
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe C:\Users\Admin\AppData\Local\Temp\hzuplybmb
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe
Filesize
5KB

MD5
8b30d9f0ee85f71c5599dcb7701ce2d8

SHA1
017fb9d1914e5582d86e201e0b7081753ee32c16

SHA256
57616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0

SHA512
7aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe
Filesize
5KB

MD5
8b30d9f0ee85f71c5599dcb7701ce2d8

SHA1
017fb9d1914e5582d86e201e0b7081753ee32c16

SHA256
57616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0

SHA512
7aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtlrkp.exe
Filesize
5KB

MD5
8b30d9f0ee85f71c5599dcb7701ce2d8

SHA1
017fb9d1914e5582d86e201e0b7081753ee32c16

SHA256
57616ecf2f2355f4bcba77c0a01b6081f7c24cbed9658bb79cc42ba19bd13ef0

SHA512
7aa43abe21e5202b2a2984a6dadb0224f9b049ebbfd42d790cd7f96ce3f93c4b09ef19140277d08fed21ea5ffc4038f3b6c4bc28309ff5a5e82e1a3525e0970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzuplybmb
Filesize
5KB

MD5
19be22ab21af9dfdc9c6d22da14ea0fd

SHA1
2ae84d7e3a14f58ceea593e559127e96a62422f4

SHA256
6e5040f059188400a96dee6433be85a859e2e4f28d73842cd7c31effc0c95e8d

SHA512
dd67366179f6cdfe461d0796de3aa1ef6a52d325727c9342811455399e4c3a8c2add9fd19738134262d56f3b815b83c744131afc372ad9afed42fc3f44cabeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3e3yvw7kwoie
Filesize
103KB

MD5
232a82fa0023be63b64acd8ade3d1e85

SHA1
bc4a4e69a8bc9628fa80ea05683c2cad70cee18e

SHA256
dc049f4f8fe69ab69c7b86af32b4c5a671e158329130c8718e40b4ec093ed725

SHA512
8fb6038b9570605ce0f30dd808f75c4b0c4fca0fbd06c993b39ef1ad7cbd30b19a8ec24d4f89ebbb1453a5cf9aea0c1777cba36c5aeb008abead45d0a53cf153

Download Submit
memory/3412-130-0x0000000000000000-mapping.dmp

Download
memory/4160-135-0x0000000000000000-mapping.dmp

Download
memory/4160-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4160-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4160-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads