lokibot | 7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653

General

Target

7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe
Size

158KB
MD5

7fe24e559e9025b3b1ff153ffc0c5227
SHA1

671115f7a95b5b0c8689ea954de079b9c2414bd6
SHA256

7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653
SHA512

64987d049846f0ae986efd504d15383f5e07d47bc87c93703e0d1b35761017fc3d4b33929a295069381e337b136cb31ada45b5907ebdc949462695348db73d7f

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

rzzil.exerzzil.exe

pid process

4260 rzzil.exe
1876 rzzil.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4260	rzzil.exe
1876	rzzil.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rzzil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rzzil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rzzil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rzzil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rzzil.exe

description pid process target process

PID 4260 set thread context of 1876 4260 rzzil.exe rzzil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rzzil.exe

description pid process

Token: SeDebugPrivilege 1876 rzzil.exe

description	pid	process	target process
PID 4260 set thread context of 1876	4260	rzzil.exe	rzzil.exe

description	pid	process
Token: SeDebugPrivilege	1876	rzzil.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exerzzil.exe

description	pid	process	target process
PID 3436 wrote to memory of 4260	3436	7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe	rzzil.exe
PID 3436 wrote to memory of 4260	3436	7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe	rzzil.exe
PID 3436 wrote to memory of 4260	3436	7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe
PID 4260 wrote to memory of 1876	4260	rzzil.exe	rzzil.exe

outlook_office_path 1 IoCs

Processes:

rzzil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rzzil.exe

outlook_win_path 1 IoCs

Processes:

rzzil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rzzil.exe

C:\Users\Admin\AppData\Local\Temp\7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe
"C:\Users\Admin\AppData\Local\Temp\7c79a61d6bc2a13c372c68567ea0cb7162cc9a6ca9285abe9def70255490f653.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\rzzil.exe
C:\Users\Admin\AppData\Local\Temp\rzzil.exe C:\Users\Admin\AppData\Local\Temp\dtfzdmsl
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\rzzil.exe
C:\Users\Admin\AppData\Local\Temp\rzzil.exe C:\Users\Admin\AppData\Local\Temp\dtfzdmsl
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtfzdmsl
Filesize
4KB

MD5
7fdce85f05af2bdb95e03c192687f2b4

SHA1
ff84737d484c8653ef75154a29ac8636f3a37315

SHA256
43849603c175b57f42089e6d058d42c73b752b3b31b8104fa17ea72c38ef08bb

SHA512
d2195dda06e2c802732e2dce67138fa13b18c4f7ad5398ad998b0790348fc16599e53844e8564ec38d497ef1ab1055a169f9a1794651800c772447e2646ef459

Download Submit
C:\Users\Admin\AppData\Local\Temp\r9rffw7zw8g96pzbuyrh
Filesize
103KB

MD5
802dbc579fa3885a05169eb56beed4ea

SHA1
8b665bfc17da041490fd40e4963b47bcf7ff3f48

SHA256
6aee5a0c4cd48cce3f55982a09f3cdec986f1b951273f585bbedc398d7c67b37

SHA512
13a86011ee204fd936be0698b845cd190d8545dd4c03bf19c73ae3306d5b7afdcd101bf652dcf463b0d96a48e3bc2890b0d7dd1f3b24b6296cbe67a0c44d80c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzzil.exe
Filesize
78KB

MD5
e34b36e0c0296eebd8bdb0c3b13ba4c1

SHA1
2e939a7dfa69e05f33b572eeff3134bd74aab03d

SHA256
be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309

SHA512
8588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzzil.exe
Filesize
78KB

MD5
e34b36e0c0296eebd8bdb0c3b13ba4c1

SHA1
2e939a7dfa69e05f33b572eeff3134bd74aab03d

SHA256
be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309

SHA512
8588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzzil.exe
Filesize
78KB

MD5
e34b36e0c0296eebd8bdb0c3b13ba4c1

SHA1
2e939a7dfa69e05f33b572eeff3134bd74aab03d

SHA256
be21d0cdd6a5a6abacdefe70eaacd5948854ea7261ea63ed8c4de520e6c04309

SHA512
8588699453693086026bf8be7dbaf505522c0fd91c33433dba6f889649da8a9807374c11a7aeea73cd4e33b6b696d8f0fdb1e3bd0b3771d0c5106ce8674cb1c5

Download Submit
memory/1876-135-0x0000000000000000-mapping.dmp

Download
memory/1876-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1876-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1876-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4260-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads