lokibot | 0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304

General

Target

0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe
Size

178KB
MD5

9eb9e0b2d312768914016744d9361751
SHA1

d64d4932a27f2dec2119297dcb9536ad1c1e2bf3
SHA256

0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304
SHA512

ad70ecb3d1382907e952917fb221c6b0d28247f43b6a82155528ac45d3fe6065da4a0e98663914297dd1d28eaa5e2838d0df420e5ddb94d5040aae1a845799e0

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

ilccnwiljk.exeilccnwiljk.exe

pid process

2936 ilccnwiljk.exe
540 ilccnwiljk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2936	ilccnwiljk.exe
540	ilccnwiljk.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ilccnwiljk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ilccnwiljk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ilccnwiljk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ilccnwiljk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ilccnwiljk.exe

description pid process target process

PID 2936 set thread context of 540 2936 ilccnwiljk.exe ilccnwiljk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ilccnwiljk.exe

description pid process

Token: SeDebugPrivilege 540 ilccnwiljk.exe

description	pid	process	target process
PID 2936 set thread context of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe

description	pid	process
Token: SeDebugPrivilege	540	ilccnwiljk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exeilccnwiljk.exe

description	pid	process	target process
PID 4384 wrote to memory of 2936	4384	0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe	ilccnwiljk.exe
PID 4384 wrote to memory of 2936	4384	0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe	ilccnwiljk.exe
PID 4384 wrote to memory of 2936	4384	0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe
PID 2936 wrote to memory of 540	2936	ilccnwiljk.exe	ilccnwiljk.exe

outlook_office_path 1 IoCs

Processes:

ilccnwiljk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ilccnwiljk.exe

outlook_win_path 1 IoCs

Processes:

ilccnwiljk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ilccnwiljk.exe

C:\Users\Admin\AppData\Local\Temp\0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe
"C:\Users\Admin\AppData\Local\Temp\0160e6f20b6dd8840c7cc06c1b7182b42cd711181270f70419f7df38d62c9304.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe
  C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe C:\Users\Admin\AppData\Local\Temp\vbdtejfadd
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe
    C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe C:\Users\Admin\AppData\Local\Temp\vbdtejfadd
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe

Filesize
73KB

MD5
e51ff21a8c51f6af6d211ddee4e47153

SHA1
1a907af49157ce952e01b0428932a8228f43dd15

SHA256
bc6c68c4038a496706b9ab7673a22805dbe882a90cf02629dd28c374e60f663c

SHA512
f9617c25bc4bda2b1137853dc9894468ec1cbbc9ebc42fdc6c4025831dd033fab1383c9c6cc4202173f043c453282f8be81b136dea3e7c8e1a120eb86cf83240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe

Filesize
73KB

MD5
e51ff21a8c51f6af6d211ddee4e47153

SHA1
1a907af49157ce952e01b0428932a8228f43dd15

SHA256
bc6c68c4038a496706b9ab7673a22805dbe882a90cf02629dd28c374e60f663c

SHA512
f9617c25bc4bda2b1137853dc9894468ec1cbbc9ebc42fdc6c4025831dd033fab1383c9c6cc4202173f043c453282f8be81b136dea3e7c8e1a120eb86cf83240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ilccnwiljk.exe

Filesize
73KB

MD5
e51ff21a8c51f6af6d211ddee4e47153

SHA1
1a907af49157ce952e01b0428932a8228f43dd15

SHA256
bc6c68c4038a496706b9ab7673a22805dbe882a90cf02629dd28c374e60f663c

SHA512
f9617c25bc4bda2b1137853dc9894468ec1cbbc9ebc42fdc6c4025831dd033fab1383c9c6cc4202173f043c453282f8be81b136dea3e7c8e1a120eb86cf83240

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqva1pekejbmmv6a5cul

Filesize
103KB

MD5
834adfb1e7655f4a4684b3f6c69ed230

SHA1
6cf9705b0129ae83fce884c298e0827d9e46c57d

SHA256
f3357aec527c446db533347404e763380a96106e7313690a2199473f33c96179

SHA512
7136dc491d9f3fbc17e3e82df4a9940593e80400e406fe7876ba01a3ad06af54f38121d0f6655edde2f49f95beb9b3b37c518f28bbc482cef071d155cbaab675

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbdtejfadd

Filesize
4KB

MD5
e39b7111d68aba058c62ea47e557a3cd

SHA1
5474ae245e4a8f9345bfc1db5b447cde95816349

SHA256
610ef593ec8d91d63e9f6f51ab6f05a4eb462bde41ebe866012be08da4534da0

SHA512
688a8ccbe534d4c2f22d9cd1a8c733494eb2f15ebc10a900945f40b9191b62a1be256c26217e8c85ec633b91d73ed6af11074254fb31b090e6918c56833b573f

Download Submit
memory/540-135-0x0000000000000000-mapping.dmp

Download
memory/540-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/540-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/540-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2936-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads