lokibot | 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927

General

Target

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
Size

207KB
MD5

0af7fbb3b5a2a7059555859c4c1db8f9
SHA1

67e96d488538213b16c6c0c599648437a176039a
SHA256

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927
SHA512

3a2174b9930aab109cba7fba398dca4f4f99bd1fe6a96f6b954bc3d49a9cb2e3e17cf5cbc33d363722f41aabf7e71515b28fa752617c0e882f4e3c6ff1226f5c

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

lttfsgn.exelttfsgn.exe

pid process

964 lttfsgn.exe
1528 lttfsgn.exe

pid	process
964	lttfsgn.exe
1528	lttfsgn.exe

Loads dropped DLL 3 IoCs

Processes:

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exelttfsgn.exe

pid	process
1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
964	lttfsgn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

lttfsgn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lttfsgn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	lttfsgn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lttfsgn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lttfsgn.exe

description pid process target process

PID 964 set thread context of 1528 964 lttfsgn.exe lttfsgn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lttfsgn.exe

description pid process

Token: SeDebugPrivilege 1528 lttfsgn.exe

description	pid	process	target process
PID 964 set thread context of 1528	964	lttfsgn.exe	lttfsgn.exe

description	pid	process
Token: SeDebugPrivilege	1528	lttfsgn.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exelttfsgn.exe

description	pid	process	target process
PID 1672 wrote to memory of 964	1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 1672 wrote to memory of 964	1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 1672 wrote to memory of 964	1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 1672 wrote to memory of 964	1672	0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe
PID 964 wrote to memory of 1528	964	lttfsgn.exe	lttfsgn.exe

outlook_office_path 1 IoCs

Processes:

lttfsgn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	lttfsgn.exe

outlook_win_path 1 IoCs

Processes:

lttfsgn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	lttfsgn.exe

C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe
"C:\Users\Admin\AppData\Local\Temp\0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe C:\Users\Admin\AppData\Local\Temp\qxeeuj
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9sjm3acpe7f5ws
Filesize
103KB

MD5
74682f26d87f1047426bfee935e559c2

SHA1
3fad4b39590a96fc0fdcb202c0d8d68ec79712d8

SHA256
89c2359ae8ca561e67d1279db5303da03f5890f11d1af5aa24e821ff69a03da7

SHA512
bd44841a01278312113d652ddd07384fd53a729d465dc1ca8919471825f94250f0997aed4979174a25461a99bdb48c9acffbc1bc469b16172add2c556e29eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxeeuj
Filesize
4KB

MD5
071ab2ca94d7132ee9c128ae20c80dbe

SHA1
d730e3571bed9e1123610abe7bea405b3e6bcdfb

SHA256
79cc7d5a87c98bc5e842153f52d8280cf091778cd87e4cfe206813324f577602

SHA512
fdfe461020f6c9296df62e478d066c204346f384d94ea890aca4bf59a22df8b39a677176c4a960b5fc85e846da9c54a83ed749b624abf5894b3ef8f0850f749d

Download Submit
\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
\Users\Admin\AppData\Local\Temp\lttfsgn.exe
Filesize
133KB

MD5
3c8cea06cad8765aa6bef67fe5d892ab

SHA1
65f56236f5b566974ea2f9bcb83ed56465efef51

SHA256
b9c4263c968b126486680b6e4f47edfa280d82f8df77bab864302312f82d47fc

SHA512
16bbda6cab5d098d0c53674da33985c3eb5723393a40c46f23bce6ef9135b31748f86cf8e5f742ba9c68181b5da91935741e9920d54e6628349ab63f876dac5f

Download Submit
memory/964-57-0x0000000000000000-mapping.dmp

Download
memory/1528-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-64-0x00000000004139DE-mapping.dmp

Download
memory/1528-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1672-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads