lokibot | 7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844

General

Target

7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe
Size

178KB
MD5

8b9e4e9b0b4d1548e9ea574d984991d4
SHA1

1f0fc269e198d87d713cdabbe22e210c841867c3
SHA256

7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844
SHA512

e727804560dc1b0d8f2a6bc8a75b82e28b10dcf8a004437f333fb8d0a49f053eb2926473cb4552282a3dfe03c7a1f8f109ea5de244c7b92a9a478371f1366816

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://37.0.11.227/sarag/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

wocaxgpyhi.exewocaxgpyhi.exe

pid process

3576 wocaxgpyhi.exe
580 wocaxgpyhi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3576	wocaxgpyhi.exe
580	wocaxgpyhi.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wocaxgpyhi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wocaxgpyhi.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wocaxgpyhi.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wocaxgpyhi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wocaxgpyhi.exe

description pid process target process

PID 3576 set thread context of 580 3576 wocaxgpyhi.exe wocaxgpyhi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wocaxgpyhi.exe

description pid process

Token: SeDebugPrivilege 580 wocaxgpyhi.exe

description	pid	process	target process
PID 3576 set thread context of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe

description	pid	process
Token: SeDebugPrivilege	580	wocaxgpyhi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exewocaxgpyhi.exe

description	pid	process	target process
PID 4960 wrote to memory of 3576	4960	7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe	wocaxgpyhi.exe
PID 4960 wrote to memory of 3576	4960	7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe	wocaxgpyhi.exe
PID 4960 wrote to memory of 3576	4960	7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe
PID 3576 wrote to memory of 580	3576	wocaxgpyhi.exe	wocaxgpyhi.exe

outlook_office_path 1 IoCs

Processes:

wocaxgpyhi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wocaxgpyhi.exe

outlook_win_path 1 IoCs

Processes:

wocaxgpyhi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wocaxgpyhi.exe

C:\Users\Admin\AppData\Local\Temp\7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe
"C:\Users\Admin\AppData\Local\Temp\7d9c140a94dedd26d05573128e33e224a7fc3b18c672035298624a28c7825844.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe C:\Users\Admin\AppData\Local\Temp\tmsuxrsxio
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe C:\Users\Admin\AppData\Local\Temp\tmsuxrsxio
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s3672rzfd8z
Filesize
103KB

MD5
294adb1d9574e39cdcbde08c3d61e39d

SHA1
f29f5c4751c8ebc6e0978f08ac69e04cc1c86e4f

SHA256
d872786f95cbf6913d2ae8394015519e71a23b025cbbe0b9e47d9714e4e6cac4

SHA512
4f914d950ca7cbb6d5c4d8e400cde480fbbeb56e915f9496f4a3136e363dbf1b225c6be6ab91d67b4149d051a10f52984f6810e3f4d11146ab573259566a1452

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmsuxrsxio
Filesize
4KB

MD5
4f2fd8f33ddfa1ac2c8d549c021a7f41

SHA1
4762d61b9d7870b9b2b4c5fad55ff9e7e8a8eec1

SHA256
38ab7d1c65717825a080b741314aa9fd3f1018a00605f9e39358e4869ba6ac6e

SHA512
b25c9d5d9a978c79bd4c2b3f58125fdc9880a1ed767d8392c767f181f5d624c1541e102cd2fe8716f8d06460e20fd3fe902fb567f00b0a8a0f558f97f11aa45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe
Filesize
73KB

MD5
667574ade08e3aac5f0df2c70b16ea92

SHA1
8d7d659584f4f0fa48458f3655d1d770d675823a

SHA256
fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f

SHA512
bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe
Filesize
73KB

MD5
667574ade08e3aac5f0df2c70b16ea92

SHA1
8d7d659584f4f0fa48458f3655d1d770d675823a

SHA256
fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f

SHA512
bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\wocaxgpyhi.exe
Filesize
73KB

MD5
667574ade08e3aac5f0df2c70b16ea92

SHA1
8d7d659584f4f0fa48458f3655d1d770d675823a

SHA256
fb202e5c81bbeed6c0fd6afe94dac83ad765e1a02241061748f4628e433c1e9f

SHA512
bf53488f5dfedcc0e50046c31ea7703f2104d5476576d5de7cbecca225c8ae0be257d69c0133b4d80e08fadcc2fcd69d5268d8ebc5252aed58772435d7bebe99

Download Submit
memory/580-135-0x0000000000000000-mapping.dmp

Download
memory/580-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/580-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/580-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3576-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads