lokibot | 434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380

General

Target

434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe
Size

208KB
MD5

e647eb555d9cabaf7997da05d2195ad0
SHA1

ee2add1f7c0bacf5b539f57ace0e66e3213954a1
SHA256

434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380
SHA512

692635cc4681bd42de805efa9626726d8e14e8dadf108ca696402666f43ca8c78f516bebd3df696b19d2c18a0dac025199d2fa8b7dea3fee830cc21c12ebb63b

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

kezpj.exekezpj.exe

pid process

1644 kezpj.exe
904 kezpj.exe

pid	process
1644	kezpj.exe
904	kezpj.exe

Loads dropped DLL 3 IoCs

Processes:

434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exekezpj.exe

pid	process
1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe
1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe
1644	kezpj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

kezpj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kezpj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	kezpj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kezpj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kezpj.exe

description pid process target process

PID 1644 set thread context of 904 1644 kezpj.exe kezpj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kezpj.exe

description pid process

Token: SeDebugPrivilege 904 kezpj.exe

description	pid	process	target process
PID 1644 set thread context of 904	1644	kezpj.exe	kezpj.exe

description	pid	process
Token: SeDebugPrivilege	904	kezpj.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exekezpj.exe

description	pid	process	target process
PID 1672 wrote to memory of 1644	1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe	kezpj.exe
PID 1672 wrote to memory of 1644	1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe	kezpj.exe
PID 1672 wrote to memory of 1644	1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe	kezpj.exe
PID 1672 wrote to memory of 1644	1672	434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe
PID 1644 wrote to memory of 904	1644	kezpj.exe	kezpj.exe

outlook_office_path 1 IoCs

Processes:

kezpj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kezpj.exe

outlook_win_path 1 IoCs

Processes:

kezpj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kezpj.exe

C:\Users\Admin\AppData\Local\Temp\434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe
"C:\Users\Admin\AppData\Local\Temp\434e76f577ffcd5513d95da9adce03abd7eacd4dfe4ff8c320d9a8fe18b0c380.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\kezpj.exe
  C:\Users\Admin\AppData\Local\Temp\kezpj.exe C:\Users\Admin\AppData\Local\Temp\mctjknqvqh
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\kezpj.exe
    C:\Users\Admin\AppData\Local\Temp\kezpj.exe C:\Users\Admin\AppData\Local\Temp\mctjknqvqh
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftzf563eb1toix

Filesize
103KB

MD5
b534d296ccc77bbd3c6395583840d2a5

SHA1
b61e51038c72679abe31e8e2eaa908ba99106376

SHA256
77ce459c786df3e0719220cccfbc0b3eaa81ca1d746038d0686ad01ba1a0a3f4

SHA512
ff0de31e855b6089c4a4896784b32ada041e85275320b1d33d4001dc8783259554a3e1ccdf465bd1aa197ab217e3700b31d00ca4181d59913bc20b1b199867d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mctjknqvqh

Filesize
4KB

MD5
ad7154ff91e0b554cc775b6f03b38ffd

SHA1
a9d9d924a2f1cc1e696353785f9388a789c38bcf

SHA256
9d543b32ab9c3df16b6fdcaaa3b2ce0826a35ea8e32b2abb1a0609e91ff652a1

SHA512
bf916ec2b600e2d0fa32795f0cc3f18afface7d61fff26abfc6ed2ae365e69bb04c44db291c0ff870f10df5780e97afe24e902f9506550e5ec8fca83ad6937ea

Download Submit
\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
\Users\Admin\AppData\Local\Temp\kezpj.exe

Filesize
133KB

MD5
7b47504aedf9269f2b4037fa440b83ba

SHA1
c533b0f90f35ed1fd2833b694ee7a3547bff718b

SHA256
d0fe11c35a7102c3c7f746ae4b8f1e3787bdf0f448a9d9887064dc1ff28295ad

SHA512
6f70a328517141e135a3ccbdfbccb6355fd561883f0a2c3c276851e118887c3d36d7106164fa15d2a0dd1609004155b6718d04c38930a293812bc03477c802d9

Download Submit
memory/904-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/904-64-0x00000000004139DE-mapping.dmp

Download
memory/904-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/904-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1644-57-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads