lokibot | b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4

General

Target

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
Size

158KB
MD5

fc48281921537737b4e8f6a13e234c6f
SHA1

49572865abff97bafc25256452b2e2e3c692dc5d
SHA256

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4
SHA512

2142d2eeadbf0616fda2585ff06916a3e990d3ca90a89f0695bbf086ece3db99677463075e2f6c2c61eae9949d28537e4f056d0d2ae3f271aaea0fc18f7bbd84

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.ga/Legend/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

fweqz.exefweqz.exe

pid process

1876 fweqz.exe
968 fweqz.exe
Loads dropped DLL 2 IoCs

Processes:

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exefweqz.exe

pid process

1844 b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
1876 fweqz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1876	fweqz.exe
968	fweqz.exe

pid	process
1844	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
1876	fweqz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fweqz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fweqz.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	fweqz.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fweqz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fweqz.exe

description pid process target process

PID 1876 set thread context of 968 1876 fweqz.exe fweqz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fweqz.exe

description pid process

Token: SeDebugPrivilege 968 fweqz.exe

description	pid	process	target process
PID 1876 set thread context of 968	1876	fweqz.exe	fweqz.exe

description	pid	process
Token: SeDebugPrivilege	968	fweqz.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exefweqz.exe

description	pid	process	target process
PID 1844 wrote to memory of 1876	1844	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 1844 wrote to memory of 1876	1844	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 1844 wrote to memory of 1876	1844	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 1844 wrote to memory of 1876	1844	b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe
PID 1876 wrote to memory of 968	1876	fweqz.exe	fweqz.exe

outlook_office_path 1 IoCs

Processes:

fweqz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	fweqz.exe

outlook_win_path 1 IoCs

Processes:

fweqz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fweqz.exe

C:\Users\Admin\AppData\Local\Temp\b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe
"C:\Users\Admin\AppData\Local\Temp\b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\fweqz.exe
  C:\Users\Admin\AppData\Local\Temp\fweqz.exe C:\Users\Admin\AppData\Local\Temp\fkauqdsiir
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\fweqz.exe
    C:\Users\Admin\AppData\Local\Temp\fweqz.exe C:\Users\Admin\AppData\Local\Temp\fkauqdsiir
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fkauqdsiir

Filesize
5KB

MD5
64e0957b219d4139b08d8b0f9ae54a25

SHA1
e3a43ccbab03a619d4c85a9994c92941d336f66b

SHA256
b45c5f65ddee397bc18bb0dbdb4205b53f6fd731f7d5be8faeb9ab91f860e6de

SHA512
c8a6a1be2f4f410fc9657a2822cbb946d07e52a64bdb99b6ec04b610959acd837f5491848abf10f1b1b9c22847a11eb81b204a673a815b8d846fa80c4ccf39e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\sr2bbrtjwe

Filesize
103KB

MD5
a9c38f10c2e854d16bd364c47b9aa68e

SHA1
f16e00511c381bf93cd51fe7c53201276d55f833

SHA256
9d025b4958bfd0d490e8244b72c5a92444ed673813f6e1b71e819c59b4e82f4c

SHA512
369e6ba35aab71a67db9787fe9d0938e61e0abce3b7028655281012425e05c5b379316912ca1df1c66aa0ccbb015f9cef5f1aa983f24e146b66514ef093aaa91

Download Submit
\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
\Users\Admin\AppData\Local\Temp\fweqz.exe

Filesize
79KB

MD5
b7f1ea2238a66e30e34894fd2fc81876

SHA1
62f16d11a681ba91cdf8f1acd81f562113d87529

SHA256
1759959a3241bb47b897b29913e0a56a42c51051bc81a69adb22bdfe5db158be

SHA512
81a962a941249a60118507df12e811ad64fd3dd67f29a32cd6e8fcc997a0728e4876336b8e1178131a2f26719510142850166597b9e62ba4d4fe838963b56d77

Download Submit
memory/968-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/968-63-0x00000000004139DE-mapping.dmp

Download
memory/968-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/968-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1844-54-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1876-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads