lokibot | de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e

General

Target

de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
Size

178KB
MD5

bce919cf4fa0ea578e827b11c9966dad
SHA1

6191fa2d046b5f3bfda4790609ba6d7945c2d352
SHA256

de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e
SHA512

76c2bb780db2daf46de0f68603ea0b52e3b5803065ced6fe4f30320ddcfc21c38a4dedede5bafe6c3feb2f8ee290e4258f242967688bf54e4014dd1232e9bccb

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

paazqnoe.exepaazqnoe.exe

pid process

1716 paazqnoe.exe
888 paazqnoe.exe

pid	process
1716	paazqnoe.exe
888	paazqnoe.exe

Loads dropped DLL 3 IoCs

Processes:

de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exepaazqnoe.exe

pid	process
2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
1716	paazqnoe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

paazqnoe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	paazqnoe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	paazqnoe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	paazqnoe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

paazqnoe.exe

description pid process target process

PID 1716 set thread context of 888 1716 paazqnoe.exe paazqnoe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

paazqnoe.exe

description pid process

Token: SeDebugPrivilege 888 paazqnoe.exe

description	pid	process	target process
PID 1716 set thread context of 888	1716	paazqnoe.exe	paazqnoe.exe

description	pid	process
Token: SeDebugPrivilege	888	paazqnoe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exepaazqnoe.exe

description	pid	process	target process
PID 2008 wrote to memory of 1716	2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe	paazqnoe.exe
PID 2008 wrote to memory of 1716	2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe	paazqnoe.exe
PID 2008 wrote to memory of 1716	2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe	paazqnoe.exe
PID 2008 wrote to memory of 1716	2008	de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe
PID 1716 wrote to memory of 888	1716	paazqnoe.exe	paazqnoe.exe

outlook_office_path 1 IoCs

Processes:

paazqnoe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	paazqnoe.exe

outlook_win_path 1 IoCs

Processes:

paazqnoe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	paazqnoe.exe

C:\Users\Admin\AppData\Local\Temp\de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe
"C:\Users\Admin\AppData\Local\Temp\de5cb159429d3332cb3982c2f8fd4354942e756b73fb0f8b05d47c3b7306091e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe C:\Users\Admin\AppData\Local\Temp\erqeyy
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe C:\Users\Admin\AppData\Local\Temp\erqeyy
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\87829xa166e7dsgo867
Filesize
103KB

MD5
6b38ce536bcd68c56b9c20892400ef7e

SHA1
349854be6729fb8deda85f120242f59215f4d2c0

SHA256
c0105e7e3f2857cd1210d3e3db1ea095e25eccccda4077466aef4da4ba0de9e7

SHA512
2f0ac00276ea6171946e168e35c4abc8e0caae002ca7a2e716e0f6acc04779d08827a48c4b3a4487c3d5ab86b32ead01dc9e91abffc60a9c369569b47ba0e9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\erqeyy
Filesize
4KB

MD5
bb4b20dfad73538be318958a27b44a25

SHA1
7811239dc382c748684356ee825b0da5c0e1b26c

SHA256
d662b8e90858bdfc0f0c6acee721198a31563048570a4823fa2c86d64aa4949e

SHA512
bc92db2f1f2146507f4da3b5ceb16de72ab90e6aa833ba8e20a858554c984644abe5a62b18eaa1f68a277934755755687f8bac8ec9b9e6ad8704173ada36a6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
\Users\Admin\AppData\Local\Temp\paazqnoe.exe
Filesize
74KB

MD5
5edc59a1484b5fffed81d9eadbc6341f

SHA1
a2098315132c5c73efdc1611766e25b5d44ca79f

SHA256
ac0f604e275905e8e07e70cadd83f61c28d92d59d545c600fdbe3e1ca940ea2c

SHA512
8298cc3d6fbd16ebf29d0374a5456416f5db3dd72d5d507fbb5ab009b0834414f22f3e2b635d69e212ad889b37b49d15b23e7da3e9a178d40de567c18def2c84

Download Submit
memory/888-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/888-64-0x00000000004139DE-mapping.dmp

Download
memory/888-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/888-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads