lokibot | 5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736

General

Target

5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
Size

155KB
MD5

97440ea0cd6403ea0584e1ce47ddd989
SHA1

0d8bcb8b05f053c2204f85e2e244c01172aac2d4
SHA256

5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736
SHA512

2102031ff3b7cc32aeb56351b66ea1414300369c9a5367c885e139b2dcee70b8bb7b2c4199f232da33c752e26b1cc3745508847008d5aeb463034cbb11eba415

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.ml/Subject/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

dsidekkm.exedsidekkm.exe

pid process

4664 dsidekkm.exe
4284 dsidekkm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4664	dsidekkm.exe
4284	dsidekkm.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dsidekkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dsidekkm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dsidekkm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dsidekkm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dsidekkm.exe

description pid process target process

PID 4664 set thread context of 4284 4664 dsidekkm.exe dsidekkm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dsidekkm.exe

description pid process

Token: SeDebugPrivilege 4284 dsidekkm.exe

description	pid	process	target process
PID 4664 set thread context of 4284	4664	dsidekkm.exe	dsidekkm.exe

description	pid	process
Token: SeDebugPrivilege	4284	dsidekkm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exedsidekkm.exe

description	pid	process	target process
PID 1412 wrote to memory of 4664	1412	5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe	dsidekkm.exe
PID 1412 wrote to memory of 4664	1412	5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe	dsidekkm.exe
PID 1412 wrote to memory of 4664	1412	5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe
PID 4664 wrote to memory of 4284	4664	dsidekkm.exe	dsidekkm.exe

outlook_office_path 1 IoCs

Processes:

dsidekkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dsidekkm.exe

outlook_win_path 1 IoCs

Processes:

dsidekkm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dsidekkm.exe

C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe
"C:\Users\Admin\AppData\Local\Temp\5a8972d75037e916016c48dc1ec724bffcecf961ddd320583658b066c9c5c736.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe C:\Users\Admin\AppData\Local\Temp\ervviqecv
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8e62xfm4teso2ych
Filesize
103KB

MD5
9c8644aad2ff10a7123ff6933fbc92dd

SHA1
29915f6eea6b079ca2b6709c10cc77e36294a120

SHA256
81261ba28841edd5abd061ab0f75b4f3fdb721f3040f9f9d427cd871c5483239

SHA512
71af33c364e4f55115a72244e979b8bf00712d9d7e4b9c6608dc32886ec54735f32dbe288514d9d4e648145503d445f48cfd6f815743a0849346adaa6f129671

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe
Filesize
75KB

MD5
e6201dce6d1e517c551cbaf6338d4f62

SHA1
dc945168efbe18acb23614f8260bb1df4e30f431

SHA256
78e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac

SHA512
5633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe
Filesize
75KB

MD5
e6201dce6d1e517c551cbaf6338d4f62

SHA1
dc945168efbe18acb23614f8260bb1df4e30f431

SHA256
78e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac

SHA512
5633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsidekkm.exe
Filesize
75KB

MD5
e6201dce6d1e517c551cbaf6338d4f62

SHA1
dc945168efbe18acb23614f8260bb1df4e30f431

SHA256
78e691a8c027eb55b77be0014a0a3a524498bbfb231089a0c036dd8deef73bac

SHA512
5633ca037b75cf53367ae676de9eadc077305e345c67efb60b52a3e00ffe2a9e99034f8b2a2a8004910f62091deb0b95e9f263b28467bc3a4f70bcc0ef5ed1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ervviqecv
Filesize
5KB

MD5
baec2f589290cd7478e8428d163cffaa

SHA1
49f90695aad97a170738e578cfd00cd65585ddf3

SHA256
ee043d54083654d9efa3f90049bc6b69e13ca47c7c35510675b36e4defed55d9

SHA512
4e991ea3e7f35a9472fd12bdd049114ed8d9be38a4e5d8c9261c9e408965e08fe1a623df6afff8911c5f5419cf8476a32b5506d5f3f14a3a3e975b40db1221cd

Download Submit
memory/4284-135-0x0000000000000000-mapping.dmp

Download
memory/4284-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4284-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4284-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4664-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads