lokibot | 1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04

General

Target

1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
Size

158KB
MD5

bc496814b2fa5e00b65f96a3e5a395ab
SHA1

d1b558cc64936e4289ab3aeb028f8d235efa710b
SHA256

1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04
SHA512

f531b41ffb8622015cd13d91bf7fe6a169b947fd6edd3398517a4fccab8b61c55ebc45c70f4be0715af20fd0db31a66d1046df68990d55a555f55238bee8f5f4

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://85.202.169.172/auzsintwo/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

hpmzi.exehpmzi.exe

pid process

4164 hpmzi.exe
4132 hpmzi.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4164	hpmzi.exe
4132	hpmzi.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hpmzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hpmzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	hpmzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hpmzi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hpmzi.exe

description pid process target process

PID 4164 set thread context of 4132 4164 hpmzi.exe hpmzi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hpmzi.exe

description pid process

Token: SeDebugPrivilege 4132 hpmzi.exe

description	pid	process	target process
PID 4164 set thread context of 4132	4164	hpmzi.exe	hpmzi.exe

description	pid	process
Token: SeDebugPrivilege	4132	hpmzi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exehpmzi.exe

description	pid	process	target process
PID 2868 wrote to memory of 4164	2868	1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe	hpmzi.exe
PID 2868 wrote to memory of 4164	2868	1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe	hpmzi.exe
PID 2868 wrote to memory of 4164	2868	1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe
PID 4164 wrote to memory of 4132	4164	hpmzi.exe	hpmzi.exe

outlook_office_path 1 IoCs

Processes:

hpmzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	hpmzi.exe

outlook_win_path 1 IoCs

Processes:

hpmzi.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	hpmzi.exe

C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe
"C:\Users\Admin\AppData\Local\Temp\1734b9b07784fba19d694f4c9e747be71298ab48f7735087f158b10ce8c63e04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\hpmzi.exe
C:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\hpmzi.exe
C:\Users\Admin\AppData\Local\Temp\hpmzi.exe C:\Users\Admin\AppData\Local\Temp\owhhlcawlp
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpmzi.exe
Filesize
79KB

MD5
ad5246ea703ad1b54495e6952becb85f

SHA1
365b8031461d3e9d778d35da0410dd48939cbfcc

SHA256
fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2

SHA512
fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpmzi.exe
Filesize
79KB

MD5
ad5246ea703ad1b54495e6952becb85f

SHA1
365b8031461d3e9d778d35da0410dd48939cbfcc

SHA256
fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2

SHA512
fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpmzi.exe
Filesize
79KB

MD5
ad5246ea703ad1b54495e6952becb85f

SHA1
365b8031461d3e9d778d35da0410dd48939cbfcc

SHA256
fb8ac246b3cc18000d515072dc236a9ab06792d22ee95a2d5cd8aa33df65f0f2

SHA512
fd02e6993a8a9ffca36c36106632aee3fa600ed9e3f7a0e91538c04742d8ba0e8a7a70fac4d35894a5b636c1ed38fcc1c6160aa889716f138e8e1e5b8e2cd917

Download Submit
C:\Users\Admin\AppData\Local\Temp\o7zcqz58zkiu5
Filesize
103KB

MD5
fdc8b09cfae5d94def3265cae8f06184

SHA1
e282662ea7a9c4bcfc940c3b4000c4707c2aabc8

SHA256
94dcc3169cd35195dd835998942f0e7fbded4f4cb1f7636e27126c5caa0e54d5

SHA512
cbce2d23ec80dfbff5aab68aec2fb03cdb7209a6fe487bd8d0d5a191bb2930b63b342d4e157471820bcb4a17150aa6195968492fcf83052cf171d95cad9fe1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\owhhlcawlp
Filesize
5KB

MD5
b3c8214f711d8b57fd4c5bb48054d0f7

SHA1
257e0f50e5135bd0a1aba619c370b11f93b28dee

SHA256
f8b22f2d657af7def180d7769f434dd6bd27bd742039b513c746b9ed15b861d9

SHA512
58caa8548a748d55528f798b6bdb32a3b1149bb188ba5f006ad44676fc977f614f04268e413ac12c199124ff55bb0af131f80a2433d6d0e0780c9d5e935818b1

Download Submit
memory/4132-135-0x0000000000000000-mapping.dmp

Download
memory/4132-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4132-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4132-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4164-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads