lokibot | 9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c

General

Target

9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
Size

123KB
MD5

dedec6fa6716daed966b0b54e2cdd30d
SHA1

95e2749866638e1fd89f56d9f53c9626de74ab37
SHA256

9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c
SHA512

0e1f5b78c2c97eeec09372a39af2a5f60515d59157831d07ffd4f56d984ba5de1030b3b6307be0033a60cbcf767b5a3b2073bfa27a8fa1d136d58d821eb79b13

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/healthtwo/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

qqoutla.exeqqoutla.exe

pid process

1540 qqoutla.exe
1208 qqoutla.exe
Loads dropped DLL 2 IoCs

Processes:

9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exeqqoutla.exe

pid process

980 9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
1540 qqoutla.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1540	qqoutla.exe
1208	qqoutla.exe

pid	process
980	9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
1540	qqoutla.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

qqoutla.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qqoutla.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	qqoutla.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qqoutla.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qqoutla.exe

description pid process target process

PID 1540 set thread context of 1208 1540 qqoutla.exe qqoutla.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qqoutla.exe

description pid process

Token: SeDebugPrivilege 1208 qqoutla.exe

description	pid	process	target process
PID 1540 set thread context of 1208	1540	qqoutla.exe	qqoutla.exe

description	pid	process
Token: SeDebugPrivilege	1208	qqoutla.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exeqqoutla.exe

description	pid	process	target process
PID 980 wrote to memory of 1540	980	9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe	qqoutla.exe
PID 980 wrote to memory of 1540	980	9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe	qqoutla.exe
PID 980 wrote to memory of 1540	980	9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe	qqoutla.exe
PID 980 wrote to memory of 1540	980	9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe
PID 1540 wrote to memory of 1208	1540	qqoutla.exe	qqoutla.exe

outlook_office_path 1 IoCs

Processes:

qqoutla.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qqoutla.exe

outlook_win_path 1 IoCs

Processes:

qqoutla.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qqoutla.exe

C:\Users\Admin\AppData\Local\Temp\9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe
"C:\Users\Admin\AppData\Local\Temp\9c31d9a430e6dbe6d92835442a8371d277ae07b8bac0190ce3b4a2d22e59352c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\qqoutla.exe
C:\Users\Admin\AppData\Local\Temp\qqoutla.exe C:\Users\Admin\AppData\Local\Temp\drplkxyhxb
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\qqoutla.exe
C:\Users\Admin\AppData\Local\Temp\qqoutla.exe C:\Users\Admin\AppData\Local\Temp\drplkxyhxb
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drplkxyhxb
Filesize
5KB

MD5
5a56d1ef8c4349778dd3b9c7d011f10d

SHA1
7d69e38058985f78123710664bd66704873a5d47

SHA256
08c9d45fd13e195bddf3ab642480dcc206c4870d0ad7264f23ffa3ddff483dd8

SHA512
584c6ac29a96b6f7d198caa3aadac038f7a75aee4805dfcc7fca96f648693ad40802f6cae9079000b41819f0cfa1bb3cc2a1bdc9cff24e5b2aa6963efdbe8ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0mi7x7kgbty
Filesize
103KB

MD5
6dec45da0d2b0e8f443c0ae30899bb1b

SHA1
9081109ceed19e2ed6c9afc4eabc616b3e448b01

SHA256
1362b7d60a6c9d3718158913f4c5986ec573d42973b607e2b4ba9c5a655087f4

SHA512
43795f1a0bbb7eff3f05bf6578fdc10fe10e324b02f97a1b136d0ff9dc97bba0762f2feaaed6ef06cea99faaf7f5b931ebd654baa793ed79a7f2ab39797e0f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqoutla.exe
Filesize
5KB

MD5
765618765fc6bd103172bbbe8fbe2ce6

SHA1
6eca1996ac24e626b179dc1cec66942078ca582b

SHA256
ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952

SHA512
f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqoutla.exe
Filesize
5KB

MD5
765618765fc6bd103172bbbe8fbe2ce6

SHA1
6eca1996ac24e626b179dc1cec66942078ca582b

SHA256
ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952

SHA512
f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqoutla.exe
Filesize
5KB

MD5
765618765fc6bd103172bbbe8fbe2ce6

SHA1
6eca1996ac24e626b179dc1cec66942078ca582b

SHA256
ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952

SHA512
f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17

Download Submit
\Users\Admin\AppData\Local\Temp\qqoutla.exe
Filesize
5KB

MD5
765618765fc6bd103172bbbe8fbe2ce6

SHA1
6eca1996ac24e626b179dc1cec66942078ca582b

SHA256
ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952

SHA512
f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17

Download Submit
\Users\Admin\AppData\Local\Temp\qqoutla.exe
Filesize
5KB

MD5
765618765fc6bd103172bbbe8fbe2ce6

SHA1
6eca1996ac24e626b179dc1cec66942078ca582b

SHA256
ef8575ed5142e77e2079ad9eae9869ab769e57b9a3560ad986025bb024662952

SHA512
f5f6cc589afcfa402d112c0814b3810353e9aa5fb995739033f2b80cb7956a72fa20109aec58d664aa699044b8cc770a497c1e2091e4897bb7130d376dad1d17

Download Submit
memory/980-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1208-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1208-64-0x00000000004139DE-mapping.dmp

Download
memory/1208-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1208-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1540-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads