lokibot | c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3

General

Target

c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe
Size

178KB
MD5

592c22b9cbed889d85aed60134630f7e
SHA1

14b1e8ad6dcc0698745abaa2548a21693851cc23
SHA256

c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3
SHA512

668ea8f68558fab7731423f0037768aee590c5f346f0149a2e543021618549ed03efcad6f847cfb2d189e9740ef6faa1a012b98e6a335703bd16b6a4a3316c3c

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

cyqffemqe.execyqffemqe.exe

pid process

1824 cyqffemqe.exe
1376 cyqffemqe.exe

pid	process
1824	cyqffemqe.exe
1376	cyqffemqe.exe

Loads dropped DLL 3 IoCs

Processes:

c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.execyqffemqe.exe

pid	process
1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe
1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe
1824	cyqffemqe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cyqffemqe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cyqffemqe.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cyqffemqe.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cyqffemqe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cyqffemqe.exe

description pid process target process

PID 1824 set thread context of 1376 1824 cyqffemqe.exe cyqffemqe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cyqffemqe.exe

description pid process

Token: SeDebugPrivilege 1376 cyqffemqe.exe

description	pid	process	target process
PID 1824 set thread context of 1376	1824	cyqffemqe.exe	cyqffemqe.exe

description	pid	process
Token: SeDebugPrivilege	1376	cyqffemqe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.execyqffemqe.exe

description	pid	process	target process
PID 1208 wrote to memory of 1824	1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe	cyqffemqe.exe
PID 1208 wrote to memory of 1824	1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe	cyqffemqe.exe
PID 1208 wrote to memory of 1824	1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe	cyqffemqe.exe
PID 1208 wrote to memory of 1824	1208	c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe
PID 1824 wrote to memory of 1376	1824	cyqffemqe.exe	cyqffemqe.exe

outlook_office_path 1 IoCs

Processes:

cyqffemqe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cyqffemqe.exe

outlook_win_path 1 IoCs

Processes:

cyqffemqe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cyqffemqe.exe

C:\Users\Admin\AppData\Local\Temp\c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe
"C:\Users\Admin\AppData\Local\Temp\c621f6f6ac9d846039beaa639d87d36d78d7484ec73ac11fbd105a7132f4d6b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe C:\Users\Admin\AppData\Local\Temp\xjwlzxilv
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe C:\Users\Admin\AppData\Local\Temp\xjwlzxilv
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58q8cfg9sttvkv
Filesize
103KB

MD5
21f419f7ec0866027b6c5b97b1592a94

SHA1
d938e1d5b8c61f0ec0786726f446ebb73f9ab083

SHA256
a0e069f5d33ed706f9cc3d86853921299a9741ee692383801de288b31830d2fa

SHA512
2850e8063da826a11897c1455092d3654cd6cb1534045efd2d7e54676da8dab17bbf0b0a9e6e5b10134a0e7017756e0715f6f067f4bc3dd33a2f357b1b5976c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjwlzxilv
Filesize
5KB

MD5
9dcac0d9f296869a15475dba0341a9cd

SHA1
c6884eadbf5dc9a3969316f8dcdffa24d71a9ad1

SHA256
b3c772b798472cf9b25aaf25d33d8370895482ea65efdc51712970387f0b4818

SHA512
6d0a75d3a308a1c3727c446e6e7a572110367595d5872a0671bdeb8ce068ee80b9dba2e206378db9939c739bf257b99a0faf3c8c6fcbd48d2bbe27d51584ca3d

Download Submit
\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
\Users\Admin\AppData\Local\Temp\cyqffemqe.exe
Filesize
74KB

MD5
984280d342a516dc74fabdcff1ac6d35

SHA1
034d5aecef4fb13c1c0904e6e553c10d3884e4a7

SHA256
28632ca068e374f63993cf13a2c8141c43c25167bfdeb9f1cceb0ba5fb9a641e

SHA512
443a5a582ae4db5ff6a060923d113d657955340c5cb9226c363a6995a8ca81db637620d0705b84b155640e4a1de7dd710bf2305d85e1e29a7c0443c4d3263f31

Download Submit
memory/1208-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1376-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1376-65-0x00000000004139DE-mapping.dmp

Download
memory/1376-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1376-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1824-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads