lokibot | 2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c

General

Target

2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe
Size

178KB
MD5

8727321276f756618f961727765b792c
SHA1

dd969fedc02d081c945a9658ef39bffd22562e5a
SHA256

2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c
SHA512

8d338425c7f2799568052421193659c92a66f0731851284e7b3742eb3498cfb0dc98db350dca5c50138878a2bcb5fb8a9e5e88c2fa88259571593c8387cdd5ce

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

zklawdjvy.exezklawdjvy.exe

pid process

4448 zklawdjvy.exe
4412 zklawdjvy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4448	zklawdjvy.exe
4412	zklawdjvy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

zklawdjvy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	zklawdjvy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	zklawdjvy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	zklawdjvy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zklawdjvy.exe

description pid process target process

PID 4448 set thread context of 4412 4448 zklawdjvy.exe zklawdjvy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zklawdjvy.exe

description pid process

Token: SeDebugPrivilege 4412 zklawdjvy.exe

description	pid	process	target process
PID 4448 set thread context of 4412	4448	zklawdjvy.exe	zklawdjvy.exe

description	pid	process
Token: SeDebugPrivilege	4412	zklawdjvy.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exezklawdjvy.exe

description	pid	process	target process
PID 2284 wrote to memory of 4448	2284	2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe	zklawdjvy.exe
PID 2284 wrote to memory of 4448	2284	2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe	zklawdjvy.exe
PID 2284 wrote to memory of 4448	2284	2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe
PID 4448 wrote to memory of 4412	4448	zklawdjvy.exe	zklawdjvy.exe

outlook_office_path 1 IoCs

Processes:

zklawdjvy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	zklawdjvy.exe

outlook_win_path 1 IoCs

Processes:

zklawdjvy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	zklawdjvy.exe

C:\Users\Admin\AppData\Local\Temp\2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe
"C:\Users\Admin\AppData\Local\Temp\2f09e405b151f6b622d7c5fe91acaca861f3162ca65043eeae7e923ca8aa850c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe C:\Users\Admin\AppData\Local\Temp\aqxytychqy
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe C:\Users\Admin\AppData\Local\Temp\aqxytychqy
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqxytychqy
Filesize
5KB

MD5
043233f83fabb092d18d0f552ba56204

SHA1
963d81ff9e98f7c991290f923f057b18839ccc6f

SHA256
811d04e65124770dd31623b2c69f0907e9ef178f2cbffeea9f1351bb818cd2ce

SHA512
10a2088b8132056cde09a4599861cbbf592a82d6f24926c26b0dc3390476602ceadefe6c356e673607d99d03b6d0e34777f8f09d1f2f86746c18d7edfc43d255

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpl166qjoes9
Filesize
103KB

MD5
09aadf2d88af5075fb5ca926b0573694

SHA1
0575446c6c2132459f4f9da9b70240b5e3becbbf

SHA256
b797fa3811c9ee2a864f3e8a32b1f30fab8dad636df0e24104931a09616634c5

SHA512
f5f2a99eb698e4a1fc7dac6abb3cf902d57d4b0085046cc3df7f86cbaca614b5e2b5612b91658da4ecf6c30d7860088b7ea0eb4bc63fee0849072150025c4bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe
Filesize
73KB

MD5
ce26f402975de521ae007b7ddcde432b

SHA1
4ed662e7f7587f301a6029ec075de8d59ccc2347

SHA256
6ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643

SHA512
ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe
Filesize
73KB

MD5
ce26f402975de521ae007b7ddcde432b

SHA1
4ed662e7f7587f301a6029ec075de8d59ccc2347

SHA256
6ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643

SHA512
ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zklawdjvy.exe
Filesize
73KB

MD5
ce26f402975de521ae007b7ddcde432b

SHA1
4ed662e7f7587f301a6029ec075de8d59ccc2347

SHA256
6ce0285701dbca3bea77b9cea8a740071c90415950194d5b6a4e9f858c1b2643

SHA512
ce9729f674e1b396841ebe69c384c1e4ff3628586edbd8b8ee110433ebf24f6f71cdf17de742ce226f4b4e8350210c238eedb25ba50737a86b1b935749b0bbdb

Download Submit
memory/4412-135-0x0000000000000000-mapping.dmp

Download
memory/4412-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4412-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4412-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4448-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads