lokibot | a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935

General

Target

a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe
Size

178KB
MD5

2c24fa42140a8a16f3777173a2d3f0ab
SHA1

a11c097a2317d636ee095ccb94ee9d6c96934eda
SHA256

a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935
SHA512

267151d9b75fd3976f55a2119c4218960d89e351afea397eb34877ae1ff9d5c3fb1d094875b695b6ce509b59acf619a18e2a3a97673fd5a15b520635e211494c

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gf17/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

eqwqaboyko.exeeqwqaboyko.exe

pid process

680 eqwqaboyko.exe
3920 eqwqaboyko.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
680	eqwqaboyko.exe
3920	eqwqaboyko.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

eqwqaboyko.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	eqwqaboyko.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	eqwqaboyko.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	eqwqaboyko.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eqwqaboyko.exe

description pid process target process

PID 680 set thread context of 3920 680 eqwqaboyko.exe eqwqaboyko.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eqwqaboyko.exe

description pid process

Token: SeDebugPrivilege 3920 eqwqaboyko.exe

description	pid	process	target process
PID 680 set thread context of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe

description	pid	process
Token: SeDebugPrivilege	3920	eqwqaboyko.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exeeqwqaboyko.exe

description	pid	process	target process
PID 1692 wrote to memory of 680	1692	a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe	eqwqaboyko.exe
PID 1692 wrote to memory of 680	1692	a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe	eqwqaboyko.exe
PID 1692 wrote to memory of 680	1692	a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe
PID 680 wrote to memory of 3920	680	eqwqaboyko.exe	eqwqaboyko.exe

outlook_office_path 1 IoCs

Processes:

eqwqaboyko.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	eqwqaboyko.exe

outlook_win_path 1 IoCs

Processes:

eqwqaboyko.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	eqwqaboyko.exe

C:\Users\Admin\AppData\Local\Temp\a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe
"C:\Users\Admin\AppData\Local\Temp\a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe C:\Users\Admin\AppData\Local\Temp\ivwgcigp
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe C:\Users\Admin\AppData\Local\Temp\ivwgcigp
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe
Filesize
73KB

MD5
c6e95b9264ecd68e1f8d379527b2dd15

SHA1
c6cab9a8e155a2290648238dc012ee045c551ec0

SHA256
8d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47

SHA512
631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe
Filesize
73KB

MD5
c6e95b9264ecd68e1f8d379527b2dd15

SHA1
c6cab9a8e155a2290648238dc012ee045c551ec0

SHA256
8d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47

SHA512
631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe
Filesize
73KB

MD5
c6e95b9264ecd68e1f8d379527b2dd15

SHA1
c6cab9a8e155a2290648238dc012ee045c551ec0

SHA256
8d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47

SHA512
631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123

Download Submit
C:\Users\Admin\AppData\Local\Temp\eyn8t27d3l8n
Filesize
103KB

MD5
23f15d7c39493ef1ff974603008f4620

SHA1
97e0eabd827724084dcb2dcc04b1212439da899e

SHA256
8a4d2d9d0efcfe8ac06942e6c314c3be4951e63602b374a0b9cca5b9a48ddebc

SHA512
982f18f894ace376e41cd5f978357869f293d226eef5b71fbadaa48f7ae89fa353627d648a00f5292b08088d7ab86cffd6fc0b58adc23509ae91e74bbd001d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivwgcigp
Filesize
4KB

MD5
37fdb3c3ec3b846ccd7be9588ce96d28

SHA1
35fbc15b62c4c4c7ff3254072aa2f0fd5d38d0f3

SHA256
1bfeba5d98d816b4f41599c227829cd2b845b049794575f4b38cab8a23aa9ed1

SHA512
c19c3f6047ced5b1c87f98013f16d318644b54f803405a0cd2da36127197b74ca79690c2c7a3b24ed43ababd88964e4dcc5f0c41e33101c982fbf6ff6df578bc

Download Submit
memory/680-130-0x0000000000000000-mapping.dmp

Download
memory/3920-135-0x0000000000000000-mapping.dmp

Download
memory/3920-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3920-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3920-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads