lokibot | b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d

General

Target

b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe
Size

178KB
MD5

5264d75ed1b113608eab5ee6af7a12c7
SHA1

b8c319a111040216ed7b350a3ebde1270b4a21ad
SHA256

b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d
SHA512

ac5571eceb77dfb345737cb95d05464fc9e59f5bed56d272eecb3d56c6410cb7708583c32de1c27145e008f8a6ba4937df171ac8c46ea4db9199f1e33b78220e

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gf9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

ftefzusfaz.exeftefzusfaz.exe

pid process

1812 ftefzusfaz.exe
1572 ftefzusfaz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1812	ftefzusfaz.exe
1572	ftefzusfaz.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ftefzusfaz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ftefzusfaz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ftefzusfaz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ftefzusfaz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ftefzusfaz.exe

description pid process target process

PID 1812 set thread context of 1572 1812 ftefzusfaz.exe ftefzusfaz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ftefzusfaz.exe

description pid process

Token: SeDebugPrivilege 1572 ftefzusfaz.exe

description	pid	process	target process
PID 1812 set thread context of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe

description	pid	process
Token: SeDebugPrivilege	1572	ftefzusfaz.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exeftefzusfaz.exe

description	pid	process	target process
PID 4932 wrote to memory of 1812	4932	b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe	ftefzusfaz.exe
PID 4932 wrote to memory of 1812	4932	b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe	ftefzusfaz.exe
PID 4932 wrote to memory of 1812	4932	b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe
PID 1812 wrote to memory of 1572	1812	ftefzusfaz.exe	ftefzusfaz.exe

outlook_office_path 1 IoCs

Processes:

ftefzusfaz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ftefzusfaz.exe

outlook_win_path 1 IoCs

Processes:

ftefzusfaz.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ftefzusfaz.exe

C:\Users\Admin\AppData\Local\Temp\b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe
"C:\Users\Admin\AppData\Local\Temp\b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe
C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe C:\Users\Admin\AppData\Local\Temp\iyowhf
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe
C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe C:\Users\Admin\AppData\Local\Temp\iyowhf
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe
Filesize
74KB

MD5
8ae996c52ffdc834659c42461edb8d68

SHA1
a84794806a08c3510e82d3dfd4c9a51cdf4f0f00

SHA256
b50eb01728827bdd5e0b26de9a41372b1ab6454f493e29a0b557c3080f7aa0af

SHA512
acd84d1a6da600e3cf9ec3e7ec86e999a9398130fb3fee8e25772951ebb85b54bf69d4117d7a96d89c74ba29ddf16018b25ab0194842fc7292028163fdbd56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe
Filesize
74KB

MD5
8ae996c52ffdc834659c42461edb8d68

SHA1
a84794806a08c3510e82d3dfd4c9a51cdf4f0f00

SHA256
b50eb01728827bdd5e0b26de9a41372b1ab6454f493e29a0b557c3080f7aa0af

SHA512
acd84d1a6da600e3cf9ec3e7ec86e999a9398130fb3fee8e25772951ebb85b54bf69d4117d7a96d89c74ba29ddf16018b25ab0194842fc7292028163fdbd56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftefzusfaz.exe
Filesize
74KB

MD5
8ae996c52ffdc834659c42461edb8d68

SHA1
a84794806a08c3510e82d3dfd4c9a51cdf4f0f00

SHA256
b50eb01728827bdd5e0b26de9a41372b1ab6454f493e29a0b557c3080f7aa0af

SHA512
acd84d1a6da600e3cf9ec3e7ec86e999a9398130fb3fee8e25772951ebb85b54bf69d4117d7a96d89c74ba29ddf16018b25ab0194842fc7292028163fdbd56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyowhf
Filesize
5KB

MD5
0121d3be0eb981b979fdb5461ed46889

SHA1
b04753b2b7b2a4311965856d25c018e65849b7c0

SHA256
d8636f8f8f51ff4e7ad30790dbbe37da3b1cea73b60b78d7d85d9b5fe521394a

SHA512
c8c198b59b5fd59f369f36fda2aaf8c6ed1e40172d530d736fb5b5679e30fd4814fdf48219e48ba6e0f29b587d6ed950d0bc22e15f698510aece253d21a67487

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3a1nla8pagw58fb1
Filesize
103KB

MD5
3f11407b096a760fab065581940f94bb

SHA1
f39364e432896a2e4f8b00f883d5d296c4fa866e

SHA256
56255e7b015d09ca86c21b48c0731222b4659086537cb70530535413bebf9e3c

SHA512
bd045bc348bf34ebd7456bb081e5f0955f56055a1c2312b4116b84f3097db640bbebefdabf2913d5453d1fd71ee1c3bfa69aa2c01be3cb41f84664ad1e287a64

Download Submit
memory/1572-136-0x0000000000000000-mapping.dmp

Download
memory/1572-137-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1572-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1572-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1812-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads