lokibot | a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8

General

Target

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
Size

208KB
MD5

7d230009eab36798f73226c3adc7ac8e
SHA1

fb28cf281513100854474137becbece52f8964cb
SHA256

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8
SHA512

e3d3fa3093c93d0c3e9e2970242765cb9875f64508815d93acd410efdf564481bba41c454409fc847a2cdf8bcfe70ab2f4277b3e4b8964927baa6a0dbafabff5

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://37.0.11.227/sarag/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

anseamh.exeanseamh.exe

pid process

1120 anseamh.exe
1776 anseamh.exe

pid	process
1120	anseamh.exe
1776	anseamh.exe

Loads dropped DLL 3 IoCs

Processes:

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exeanseamh.exe

pid	process
1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
1120	anseamh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

anseamh.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	anseamh.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	anseamh.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	anseamh.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

anseamh.exe

description pid process target process

PID 1120 set thread context of 1776 1120 anseamh.exe anseamh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

anseamh.exe

description pid process

Token: SeDebugPrivilege 1776 anseamh.exe

description	pid	process	target process
PID 1120 set thread context of 1776	1120	anseamh.exe	anseamh.exe

description	pid	process
Token: SeDebugPrivilege	1776	anseamh.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exeanseamh.exe

description	pid	process	target process
PID 1664 wrote to memory of 1120	1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1664 wrote to memory of 1120	1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1664 wrote to memory of 1120	1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1664 wrote to memory of 1120	1664	a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe
PID 1120 wrote to memory of 1776	1120	anseamh.exe	anseamh.exe

outlook_office_path 1 IoCs

Processes:

anseamh.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	anseamh.exe

outlook_win_path 1 IoCs

Processes:

anseamh.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	anseamh.exe

C:\Users\Admin\AppData\Local\Temp\a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe
"C:\Users\Admin\AppData\Local\Temp\a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\anseamh.exe
  C:\Users\Admin\AppData\Local\Temp\anseamh.exe C:\Users\Admin\AppData\Local\Temp\qblysgjfpo
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\anseamh.exe
    C:\Users\Admin\AppData\Local\Temp\anseamh.exe C:\Users\Admin\AppData\Local\Temp\qblysgjfpo
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9rslrai5az688

Filesize
103KB

MD5
fa6e53be9ad46836ae678f76d5c9d556

SHA1
89a1f44d1acb2b9e5ff6b6e566ed347d05b52249

SHA256
a1766a96cdc1c18b2d7a8963198ae804e217f13f032faff99d0d62e47310749c

SHA512
daea6fcc09dbdd65c73151c3f5cc9485daa06e5833e68c71c7255a669863f1b1df6e8e17d7ab95f8eb9d0586827ef1cbc1b3eca8f29201aa5531c98094ab9e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
C:\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
C:\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
C:\Users\Admin\AppData\Local\Temp\qblysgjfpo

Filesize
5KB

MD5
b39681d19fe532be0d5fc83eae8b84a6

SHA1
9c8801c5f1f5e2a4a81de6a09dc0616745515c93

SHA256
1c4d28881dd63751e50718e0e06dfd7fa2350de641b4f3685ee83625b25811d8

SHA512
fd4af9286abd1e6cfe36078d0e6725c3fc9cc83283c5a7a466ae33eac408580d8a2f87a0c4acefa52597558c4ac8d1d2ee4714ff523cfa109c6ad706416475ea

Download Submit
\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
\Users\Admin\AppData\Local\Temp\anseamh.exe

Filesize
133KB

MD5
5bb156f3c2fed3035add800f5dfa3af3

SHA1
6c07d16ea59e45600c76054cddd9286e45ce4d83

SHA256
6ce07bdf41b21d46e1be13833670acd47443180b154285c943906012b21ca683

SHA512
68723d06a8c917f14069387274e1cad98d10aa67dbb2dfa8ebd43e579387ba35bde830ee4be616abc9b38fa6a5d81a9ccecc1e06448d8bc4492529d19aa06330

Download Submit
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1776-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1776-64-0x00000000004139DE-mapping.dmp

Download
memory/1776-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1776-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads