lokibot | 60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416

General

Target

60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe
Size

178KB
MD5

943a92b0b61eec9be60863ae6848f2b4
SHA1

42076d3cae711e804795fc4e5852e8f1dd9fd934
SHA256

60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416
SHA512

bb06b79412bf0462d5ede5ede1790ea528c9f47e00370d41a373aa49c49cb27dd8f7862c823c729e919a84c4928b735fe0f54a4868b8e555660fbeb80ca99df7

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

wpaflxvx.exewpaflxvx.exe

pid process

1292 wpaflxvx.exe
2856 wpaflxvx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1292	wpaflxvx.exe
2856	wpaflxvx.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wpaflxvx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wpaflxvx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wpaflxvx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wpaflxvx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wpaflxvx.exe

description pid process target process

PID 1292 set thread context of 2856 1292 wpaflxvx.exe wpaflxvx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wpaflxvx.exe

description pid process

Token: SeDebugPrivilege 2856 wpaflxvx.exe

description	pid	process	target process
PID 1292 set thread context of 2856	1292	wpaflxvx.exe	wpaflxvx.exe

description	pid	process
Token: SeDebugPrivilege	2856	wpaflxvx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exewpaflxvx.exe

description	pid	process	target process
PID 2620 wrote to memory of 1292	2620	60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe	wpaflxvx.exe
PID 2620 wrote to memory of 1292	2620	60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe	wpaflxvx.exe
PID 2620 wrote to memory of 1292	2620	60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe
PID 1292 wrote to memory of 2856	1292	wpaflxvx.exe	wpaflxvx.exe

outlook_office_path 1 IoCs

Processes:

wpaflxvx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wpaflxvx.exe

outlook_win_path 1 IoCs

Processes:

wpaflxvx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wpaflxvx.exe

C:\Users\Admin\AppData\Local\Temp\60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe
"C:\Users\Admin\AppData\Local\Temp\60e7b7da05ecbd0f5badda6f55ddd865c73453b620067a0dbfc4e7cc76caf416.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe
  C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe C:\Users\Admin\AppData\Local\Temp\welrhzrs
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe
    C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe C:\Users\Admin\AppData\Local\Temp\welrhzrs
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qi2x0e19hif

Filesize
103KB

MD5
b9407e7b8d4584176872518d5cdfaf24

SHA1
dc5fb590d44a3d51bcebeba19be1d571ee4133ba

SHA256
385861474c39bfb2d6bfce8ccc289339e176095acadad9afaab2cd20b02c7a57

SHA512
972993d7995d57d7af99873a96a4a740a0d5b336940cde9c302b4ec1fcab23c2ca07787acef1576e3aa3dec22f6d73a0e6baa00942ac43c95607ce191fe8a591

Download Submit
C:\Users\Admin\AppData\Local\Temp\welrhzrs

Filesize
4KB

MD5
e8481fa7225513a43128d5c341456196

SHA1
4367f8cbcae941ae7b3d7fc93d12fff8cbe1b4db

SHA256
a73d7185e8ae76591838024c8f026bd1663a4aedf2f94477c9c4b8e19be9139f

SHA512
9defe6a19217a35e6b4e89c6784c2a3da7c3948ce87bafd42e8e76144fef905c29f760331c8402e3ed00cca0dcdb64cb8580b2b5d10c939d632d2381518625eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe

Filesize
74KB

MD5
c5219a5b9796c2ea53ba71e1600c59e6

SHA1
feece2840c955a5e8d193df34e1db9769b78b3ca

SHA256
c63af1e880ea4cacf98247017c2b0bc7644223cb3ffb2c034b71a2cec8b694c9

SHA512
48494f244607ba6326b54309785fe7707089181a472e8e684cc46d004dde21284c0c2187af8f8b5d2dad753f7adb12450833534c0ac6b00b1dd00f62460a5712

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe

Filesize
74KB

MD5
c5219a5b9796c2ea53ba71e1600c59e6

SHA1
feece2840c955a5e8d193df34e1db9769b78b3ca

SHA256
c63af1e880ea4cacf98247017c2b0bc7644223cb3ffb2c034b71a2cec8b694c9

SHA512
48494f244607ba6326b54309785fe7707089181a472e8e684cc46d004dde21284c0c2187af8f8b5d2dad753f7adb12450833534c0ac6b00b1dd00f62460a5712

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpaflxvx.exe

Filesize
74KB

MD5
c5219a5b9796c2ea53ba71e1600c59e6

SHA1
feece2840c955a5e8d193df34e1db9769b78b3ca

SHA256
c63af1e880ea4cacf98247017c2b0bc7644223cb3ffb2c034b71a2cec8b694c9

SHA512
48494f244607ba6326b54309785fe7707089181a472e8e684cc46d004dde21284c0c2187af8f8b5d2dad753f7adb12450833534c0ac6b00b1dd00f62460a5712

Download Submit
memory/1292-130-0x0000000000000000-mapping.dmp

Download
memory/2856-135-0x0000000000000000-mapping.dmp

Download
memory/2856-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2856-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2856-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads