lokibot | 8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77

General

Target

8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe
Size

177KB
MD5

c33d399c78bbc6d5f34b50759ce3deda
SHA1

3b78f12e5f3adf30b758942ae3bc08a3955d6e53
SHA256

8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77
SHA512

3276446bc72708dbafeac72f7c5fd83d78e5be3aed73bc65edb82d92d604e59d8be8306fc50b3d843b144a76718d762dfcbd47b86a9ec25ea3939cdd208c6bb7

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

tyexzohwr.exetyexzohwr.exe

pid process

5100 tyexzohwr.exe
1424 tyexzohwr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5100	tyexzohwr.exe
1424	tyexzohwr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

tyexzohwr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tyexzohwr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	tyexzohwr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tyexzohwr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tyexzohwr.exe

description pid process target process

PID 5100 set thread context of 1424 5100 tyexzohwr.exe tyexzohwr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tyexzohwr.exe

description pid process

Token: SeDebugPrivilege 1424 tyexzohwr.exe

description	pid	process	target process
PID 5100 set thread context of 1424	5100	tyexzohwr.exe	tyexzohwr.exe

description	pid	process
Token: SeDebugPrivilege	1424	tyexzohwr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exetyexzohwr.exe

description	pid	process	target process
PID 1676 wrote to memory of 5100	1676	8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe	tyexzohwr.exe
PID 1676 wrote to memory of 5100	1676	8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe	tyexzohwr.exe
PID 1676 wrote to memory of 5100	1676	8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe
PID 5100 wrote to memory of 1424	5100	tyexzohwr.exe	tyexzohwr.exe

outlook_office_path 1 IoCs

Processes:

tyexzohwr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tyexzohwr.exe

outlook_win_path 1 IoCs

Processes:

tyexzohwr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tyexzohwr.exe

C:\Users\Admin\AppData\Local\Temp\8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe
"C:\Users\Admin\AppData\Local\Temp\8f55cd87f94613eb7ea5e568c263cc3803378ab422bf31ceb7b7cc166bd9ad77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe C:\Users\Admin\AppData\Local\Temp\uzldniqguv
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe C:\Users\Admin\AppData\Local\Temp\uzldniqguv
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\egz8tvk5c1e
Filesize
103KB

MD5
820ea4ad006dcf5522501f1674570866

SHA1
459c4866c188ea886470f7836e560ddc29dc23cd

SHA256
22642e680c666754a2c97b7d944fdcce9a34900badcf7f5b6391af4851d50140

SHA512
f0d6b6f39867681cdaca2adf27226d589861a4b426a31dbabafd05e98663888a56da8a7eccb611dab1e48fd7ea914fc6aa466a8c09e0ef9c3959f68cef4b6e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe
Filesize
73KB

MD5
3ed7e7a4569cb65719d08de6537ec776

SHA1
86e06314a687b8186297950e9130802682eb7e61

SHA256
bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219

SHA512
4e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe
Filesize
73KB

MD5
3ed7e7a4569cb65719d08de6537ec776

SHA1
86e06314a687b8186297950e9130802682eb7e61

SHA256
bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219

SHA512
4e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyexzohwr.exe
Filesize
73KB

MD5
3ed7e7a4569cb65719d08de6537ec776

SHA1
86e06314a687b8186297950e9130802682eb7e61

SHA256
bf9912f5f8625811ad6de6ef21e0edfaac74450e9c34c76b4aae76e48ec10219

SHA512
4e383e8a11a8009e9bb684d080a5821f375c135dac606cf9fb900473793050739ac8125b4a5a9a5f44c28c5658016d38de528c47eef97767d85bcafea0d3e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzldniqguv
Filesize
5KB

MD5
bfeb5c2e3f159452a407e5475c50c8bd

SHA1
e577a6fc2bac3881eddd7d7a5153f9b300a4fc25

SHA256
6b3cb7af22a337a0407dc647c6ceb2aa60a0868a02464630e9b49ce0075a8c52

SHA512
cbf0bfe4a7346bd48608de07e911264a634e2642e5b6eec439e42ee1e653699d812c80a8eb09ee9abeda09f8b7ccec29a9b95ed6c298935cacf2042a1abde70c

Download Submit
memory/1424-135-0x0000000000000000-mapping.dmp

Download
memory/1424-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1424-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1424-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5100-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads