lokibot | ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076

General

Target

ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
Size

178KB
MD5

c85a753c46e005748eb59d6d062d596c
SHA1

396d1f6cbcf4e06965f270b7d5aa67ce784cec6b
SHA256

ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076
SHA512

a56eceb55e81e1d83bc3ea11db2889cb1c0c4d907d1d232cfdaecbf9a1ddfa927b70702e32064471841379291eb3e825f22ae5a3dad72ead3aaa763fb48d4980

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

bqxnvpn.exebqxnvpn.exe

pid process

956 bqxnvpn.exe
1692 bqxnvpn.exe

pid	process
956	bqxnvpn.exe
1692	bqxnvpn.exe

Loads dropped DLL 3 IoCs

Processes:

ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exebqxnvpn.exe

pid	process
904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
956	bqxnvpn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

bqxnvpn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bqxnvpn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	bqxnvpn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bqxnvpn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bqxnvpn.exe

description pid process target process

PID 956 set thread context of 1692 956 bqxnvpn.exe bqxnvpn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bqxnvpn.exe

description pid process

Token: SeDebugPrivilege 1692 bqxnvpn.exe

description	pid	process	target process
PID 956 set thread context of 1692	956	bqxnvpn.exe	bqxnvpn.exe

description	pid	process
Token: SeDebugPrivilege	1692	bqxnvpn.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exebqxnvpn.exe

description	pid	process	target process
PID 904 wrote to memory of 956	904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe	bqxnvpn.exe
PID 904 wrote to memory of 956	904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe	bqxnvpn.exe
PID 904 wrote to memory of 956	904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe	bqxnvpn.exe
PID 904 wrote to memory of 956	904	ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe
PID 956 wrote to memory of 1692	956	bqxnvpn.exe	bqxnvpn.exe

outlook_office_path 1 IoCs

Processes:

bqxnvpn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	bqxnvpn.exe

outlook_win_path 1 IoCs

Processes:

bqxnvpn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	bqxnvpn.exe

C:\Users\Admin\AppData\Local\Temp\ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
"C:\Users\Admin\AppData\Local\Temp\ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe C:\Users\Admin\AppData\Local\Temp\xuuzonszwq
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe C:\Users\Admin\AppData\Local\Temp\xuuzonszwq
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5yanui8wijlofiymi3
Filesize
103KB

MD5
47b52a13bab5abc68f0759b85875eeba

SHA1
e3958b54cbf4b7fe049868f515091e0ed0c72924

SHA256
5efb500696a9b4fc8380e9787238a383d3b089726b93217a654de19c8c97b90f

SHA512
2d275b88eba6a96d6825b1e0bbf7bdc6f6911e3c6114c47d26e3469bd35275ce742efba3c2286792711ca069ac08a0425442ced46333aee5b79ffccb386cd414

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuuzonszwq
Filesize
5KB

MD5
b796f086df06d86d89004e4a327cf64c

SHA1
2d3ba67b340f12e7580760f49257cca12e7525c4

SHA256
b80bdb41ee3979fa3c00a7ada454fe9d401405323231e37571173203e52f2675

SHA512
44d5e199f4d19c2b900cedbdc9411e6e58492abf638c3967c88b054ad4d6b897187a65af1540df0d6040e1b977787005030bdbc1ba590cca4d0e7fed0489bf29

Download Submit
\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
\Users\Admin\AppData\Local\Temp\bqxnvpn.exe
Filesize
74KB

MD5
fbb50a4dde4b69f38e9f2d1479c9071f

SHA1
1dbbf994ed9df12c3954ad4f34567d38ed070e7a

SHA256
479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41

SHA512
b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca

Download Submit
memory/904-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/1692-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1692-64-0x00000000004139DE-mapping.dmp

Download
memory/1692-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1692-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads