lokibot | 65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76

General

Target

65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe
Size

177KB
MD5

e854767c8344eb7087eb6fb00e078efc
SHA1

7a0c759eebd34e76709ab6375f5e6325b7d0c557
SHA256

65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76
SHA512

ef68ffc517c8b4b197d297151171232debcfcee22fddc46b0210c2f1e133c9126db3b4eb2e0d39308daad043d06e000572a27b1a6486a5780a7a64af4c44aa80

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gf9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

qqwtfzy.exeqqwtfzy.exe

pid process

4876 qqwtfzy.exe
5068 qqwtfzy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4876	qqwtfzy.exe
5068	qqwtfzy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

qqwtfzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qqwtfzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qqwtfzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	qqwtfzy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

qqwtfzy.exe

description pid process target process

PID 4876 set thread context of 5068 4876 qqwtfzy.exe qqwtfzy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

qqwtfzy.exe

description pid process

Token: SeDebugPrivilege 5068 qqwtfzy.exe

description	pid	process	target process
PID 4876 set thread context of 5068	4876	qqwtfzy.exe	qqwtfzy.exe

description	pid	process
Token: SeDebugPrivilege	5068	qqwtfzy.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exeqqwtfzy.exe

description	pid	process	target process
PID 3036 wrote to memory of 4876	3036	65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe	qqwtfzy.exe
PID 3036 wrote to memory of 4876	3036	65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe	qqwtfzy.exe
PID 3036 wrote to memory of 4876	3036	65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe
PID 4876 wrote to memory of 5068	4876	qqwtfzy.exe	qqwtfzy.exe

outlook_office_path 1 IoCs

Processes:

qqwtfzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	qqwtfzy.exe

outlook_win_path 1 IoCs

Processes:

qqwtfzy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	qqwtfzy.exe

C:\Users\Admin\AppData\Local\Temp\65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe
"C:\Users\Admin\AppData\Local\Temp\65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe C:\Users\Admin\AppData\Local\Temp\bhaqdj
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe C:\Users\Admin\AppData\Local\Temp\bhaqdj
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhaqdj
Filesize
4KB

MD5
6c3a619aee27bc38625bfee936f4af08

SHA1
f97361806caf083b821bddc2c228f09a33c977c0

SHA256
a9224fa13636d7f7d3565b79d9c99639be9d02c002f0a48fc9928b4037d7df8a

SHA512
15a33294fe6c2a0cf252367d9a395ca1b67ff43bc52bd1151aa575ba5e169e3b60ebdd3a04a68496cbbab35a005b199266985729174f5c52eeb4487b4b19bb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe
Filesize
73KB

MD5
80d1b1202d91fd29c1c5076f8bea187c

SHA1
f53e4f3a03e426c9ace931d7b14814c3b8f44f20

SHA256
9206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355

SHA512
4edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe
Filesize
73KB

MD5
80d1b1202d91fd29c1c5076f8bea187c

SHA1
f53e4f3a03e426c9ace931d7b14814c3b8f44f20

SHA256
9206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355

SHA512
4edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqwtfzy.exe
Filesize
73KB

MD5
80d1b1202d91fd29c1c5076f8bea187c

SHA1
f53e4f3a03e426c9ace931d7b14814c3b8f44f20

SHA256
9206bfa3fa05240d59d30ab4986a9b36aa63a170d74ff27910d3f0d9d91bf355

SHA512
4edd0b550f4963de6d368700826dbbd8f7faf4880ca42043f54f6d7ce18e5f0b917705550928aae1df57449c37a79d88f622fd3ef0ad20208f9f84fedb2d551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\r4rdy50kn32y74
Filesize
103KB

MD5
1ef30c1c2f6c002efd5174a16c6caf4a

SHA1
cd603af001bfc9228392a0d01a4c6ff3f9eee6f7

SHA256
2fba5b538eb4ac0815f927d4eb1ffe55f6027d19a397b3d949e7d9efda5cfe62

SHA512
eb392a95f3b95172eee50734ca0f93cc5e541534a6c7213d2ed4687c70d356ffe43d5d6e8d6c555af3de87c73417eca77bdc176c1727546b6f429a765d2c1eff

Download Submit
memory/4876-130-0x0000000000000000-mapping.dmp

Download
memory/5068-135-0x0000000000000000-mapping.dmp

Download
memory/5068-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5068-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5068-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads