lokibot | 1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5

General

Target

1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe
Size

178KB
MD5

9c7c29f79aa00398bc5ae6ab5e8c0e1d
SHA1

b7ce7d3a983f79135302803f7dba83b774c009f0
SHA256

1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5
SHA512

ba0653c0abf64ad0decd88b681d12b7aedd1183306e73f11a56718cb20338eed0a073c7936b7b95c1b959372af74eb073711c64a9b4626d8c05625fa1f365dec

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

abffk.exeabffk.exe

pid process

1732 abffk.exe
1728 abffk.exe

pid	process
1732	abffk.exe
1728	abffk.exe

Loads dropped DLL 3 IoCs

Processes:

1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exeabffk.exe

pid	process
1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe
1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe
1732	abffk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

abffk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	abffk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	abffk.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	abffk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

abffk.exe

description pid process target process

PID 1732 set thread context of 1728 1732 abffk.exe abffk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

abffk.exe

description pid process

Token: SeDebugPrivilege 1728 abffk.exe

description	pid	process	target process
PID 1732 set thread context of 1728	1732	abffk.exe	abffk.exe

description	pid	process
Token: SeDebugPrivilege	1728	abffk.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exeabffk.exe

description	pid	process	target process
PID 1812 wrote to memory of 1732	1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe	abffk.exe
PID 1812 wrote to memory of 1732	1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe	abffk.exe
PID 1812 wrote to memory of 1732	1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe	abffk.exe
PID 1812 wrote to memory of 1732	1812	1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe
PID 1732 wrote to memory of 1728	1732	abffk.exe	abffk.exe

outlook_office_path 1 IoCs

Processes:

abffk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	abffk.exe

outlook_win_path 1 IoCs

Processes:

abffk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	abffk.exe

C:\Users\Admin\AppData\Local\Temp\1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe
"C:\Users\Admin\AppData\Local\Temp\1e1eaa51dc055269238537f9eab9b186a0adc9f033314e9d445684ae175cf8b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\abffk.exe
  C:\Users\Admin\AppData\Local\Temp\abffk.exe C:\Users\Admin\AppData\Local\Temp\ugjiozgs
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\abffk.exe
    C:\Users\Admin\AppData\Local\Temp\abffk.exe C:\Users\Admin\AppData\Local\Temp\ugjiozgs
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksymx4r9m4beqsjgu84

Filesize
103KB

MD5
762a71207ea4f26295c43c2b83e4f3f3

SHA1
737330578a52d4013ba8f9e846253e2f286182d0

SHA256
a4a38e5533a7078fd2b0c55ba1a4502ecd9571503ab0ff490c8688bd3c81dc2d

SHA512
a25aa07f1b34c5eb7dbe4b807e3c70ad56c5c5b08b4cbb88d6833309958b52739961b99d423ff328e503664f7c1fb966ecb5ae7327c5f1b6f0f7b9cad5d6a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugjiozgs

Filesize
4KB

MD5
e40b5bacc458776389eecc1e45b00a1b

SHA1
884caeaba6d4e1094cd4b5cb87212cb2961808d9

SHA256
7b891b5009ac24b9d874de35de19d052e258f46a9288ad123681c3d2adfa4eda

SHA512
42949068daeffbe9ab23ef94aea73c179044a30ee45d0a8fb06a25e712cc1024446b2fd052a75bb196e70571c350d29a1c81fef48feb59118f245b4c037c5778

Download Submit
\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
\Users\Admin\AppData\Local\Temp\abffk.exe

Filesize
74KB

MD5
9c4757da08ba77d1fb2fcead82c25980

SHA1
995d368fb04c360462b833dae9bc7d4b1750df33

SHA256
08a4ad5e481b5b95f9840d75e3c6e4b366cd31163671a626587ff2bebff5fe6c

SHA512
8ea4a62a6453a5741c491e0b24b78b17612b9364400b6ca6c034d8f7606859b090bdeefbdf6281d0f1f3246f7397c46d698bca34e1c9ab14b6d7fd44cab70b35

Download Submit
memory/1728-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1728-65-0x00000000004139DE-mapping.dmp

Download
memory/1728-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1728-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads