lokibot | db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0

General

Target

db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
Size

178KB
MD5

d03317300292297a16112f36a1e83bb8
SHA1

419d30382bf5ecc8b80c8d94a0e3f9921e72e13d
SHA256

db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0
SHA512

01218946e9960a9f97bb9a904649403c8e140de9117de9e9861adcff3a622ecadc0cfde3c1562bc0c89a3e0ca6c9ba9698afb7d5f9086b185c5899937376ecb3

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

qfxywspm.exeqfxywspm.exe

pid process

1124 qfxywspm.exe
892 qfxywspm.exe

pid	process
1124	qfxywspm.exe
892	qfxywspm.exe

Loads dropped DLL 3 IoCs

Processes:

db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exeqfxywspm.exe

pid	process
1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
1124	qfxywspm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

qfxywspm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	qfxywspm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qfxywspm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qfxywspm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qfxywspm.exe

description pid process target process

PID 1124 set thread context of 892 1124 qfxywspm.exe qfxywspm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qfxywspm.exe

description pid process

Token: SeDebugPrivilege 892 qfxywspm.exe

description	pid	process	target process
PID 1124 set thread context of 892	1124	qfxywspm.exe	qfxywspm.exe

description	pid	process
Token: SeDebugPrivilege	892	qfxywspm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exeqfxywspm.exe

description	pid	process	target process
PID 1628 wrote to memory of 1124	1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe	qfxywspm.exe
PID 1628 wrote to memory of 1124	1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe	qfxywspm.exe
PID 1628 wrote to memory of 1124	1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe	qfxywspm.exe
PID 1628 wrote to memory of 1124	1628	db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe
PID 1124 wrote to memory of 892	1124	qfxywspm.exe	qfxywspm.exe

outlook_office_path 1 IoCs

Processes:

qfxywspm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qfxywspm.exe

outlook_win_path 1 IoCs

Processes:

qfxywspm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qfxywspm.exe

C:\Users\Admin\AppData\Local\Temp\db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe
"C:\Users\Admin\AppData\Local\Temp\db634f40121feab576a36a525042fa80a16c79a5c34f566266fadf897487c2b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe C:\Users\Admin\AppData\Local\Temp\onqtfnqe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe C:\Users\Admin\AppData\Local\Temp\onqtfnqe
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onqtfnqe
Filesize
4KB

MD5
5d377899df136b57df568dc63d593618

SHA1
4946c1175a194d88d22d8c9b7bef6f5d1478e14a

SHA256
58067901bb9d96e7af0e8db9badd3eadc6c49d309cb91b2d2bc9a2a07d4050fe

SHA512
d9ae51b2b98ba942f1912cf11206878bf90668ff7670e4acb37a39a8abf431ebfa30a21ef1950b102dcba6461f5cf8b7e97dc34cfe79054b9c73beb08b2c398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tia2bod4riafwg
Filesize
103KB

MD5
89fa65170d98c7e718b2d5d14990b038

SHA1
a7e1b1b094e85d4927407e35d79a48d42beb0f99

SHA256
7d24e08dc55c09a9d978cf8d292386c4751b9dd50ee9829c50705524c258fd83

SHA512
5f4f98b557835b1b820b0a708b13cea303f6bea7a331902300ba81f28333eeab32e3ecfa5280b58ea971806fadd938050943ad46cbb660c28789bacf2e5b9c75

Download Submit
\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
\Users\Admin\AppData\Local\Temp\qfxywspm.exe
Filesize
74KB

MD5
df0d6f1a158691781d0393430d4318c6

SHA1
d05327463db4e913f04f16d8d962445b2b170285

SHA256
27aa4b425182aaab082d7ff6fc1052ffa954cd57bbcddde006851b4415a0c604

SHA512
faaac90ac92cdd0cc2837f1f456ceaac39824b1812dfbc103200cc7616a6aa36710a3f91d16c3b92ee65d1b5ca817597fd481a4173330f107b1143852520092c

Download Submit
memory/892-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-65-0x00000000004139DE-mapping.dmp

Download
memory/892-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/892-70-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1124-57-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads