lokibot | ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7

General

Target

ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe
Size

158KB
MD5

f59ee906bc0df423ca26ad7436eedaad
SHA1

35ae6543c6633a36fff11fc09c2bc7e8d95ab747
SHA256

ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7
SHA512

50adbc078fc07b202c63becedb2bd1588cef1de63ba11cf077b7001e3d8672da13b68371622018f7b36537dc41f1fe43cbf99f99b5bc1a86a3ec2bf3e7b9e8af

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gf17/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

kudvb.exekudvb.exe

pid process

3428 kudvb.exe
1176 kudvb.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3428	kudvb.exe
1176	kudvb.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

kudvb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kudvb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	kudvb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kudvb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kudvb.exe

description pid process target process

PID 3428 set thread context of 1176 3428 kudvb.exe kudvb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kudvb.exe

description pid process

Token: SeDebugPrivilege 1176 kudvb.exe

description	pid	process	target process
PID 3428 set thread context of 1176	3428	kudvb.exe	kudvb.exe

description	pid	process
Token: SeDebugPrivilege	1176	kudvb.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exekudvb.exe

description	pid	process	target process
PID 392 wrote to memory of 3428	392	ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe	kudvb.exe
PID 392 wrote to memory of 3428	392	ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe	kudvb.exe
PID 392 wrote to memory of 3428	392	ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe
PID 3428 wrote to memory of 1176	3428	kudvb.exe	kudvb.exe

outlook_office_path 1 IoCs

Processes:

kudvb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kudvb.exe

outlook_win_path 1 IoCs

Processes:

kudvb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kudvb.exe

C:\Users\Admin\AppData\Local\Temp\ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe
"C:\Users\Admin\AppData\Local\Temp\ee497c7942e6dcee5f26f13766a9efaddfcee4a98d913107162767ed8c43b3b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\kudvb.exe
C:\Users\Admin\AppData\Local\Temp\kudvb.exe C:\Users\Admin\AppData\Local\Temp\ayrmbdie
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\kudvb.exe
C:\Users\Admin\AppData\Local\Temp\kudvb.exe C:\Users\Admin\AppData\Local\Temp\ayrmbdie
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ayrmbdie
Filesize
5KB

MD5
e96de5b43b69f9b97033a7bc80bd2a84

SHA1
73e7378750f1741c6191caa7d87678d6771925f8

SHA256
2aac125fe00e6f237b4cde2dc15474ca78c6c8398ea51fb56e5ea4e3f4822ac7

SHA512
180e4dd08be620688428eb822ad6d647c1c7aeb16dcb540888a0d84adb1ab702e1266630303d68e99153d51abed7e9a4ca8412a96a12d01d9e0a58543860775f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kudvb.exe
Filesize
78KB

MD5
9f997aeddad0aca01b309e9c8f2fa07b

SHA1
aa36040964f46cf3282cb6a8279804277fd7bac9

SHA256
05c3fb8fc535bc262d651939d0e0e64d27524e0b3d69a0fcb5949bf15b95cfd8

SHA512
9124ae5c818f705197a2e95066154a6830d72b95740c9c554b3806fcdbc41512478f4fd5030ddb1455a75510a00322290ed1f48130ffac7249f081e29f553e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\kudvb.exe
Filesize
78KB

MD5
9f997aeddad0aca01b309e9c8f2fa07b

SHA1
aa36040964f46cf3282cb6a8279804277fd7bac9

SHA256
05c3fb8fc535bc262d651939d0e0e64d27524e0b3d69a0fcb5949bf15b95cfd8

SHA512
9124ae5c818f705197a2e95066154a6830d72b95740c9c554b3806fcdbc41512478f4fd5030ddb1455a75510a00322290ed1f48130ffac7249f081e29f553e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\kudvb.exe
Filesize
78KB

MD5
9f997aeddad0aca01b309e9c8f2fa07b

SHA1
aa36040964f46cf3282cb6a8279804277fd7bac9

SHA256
05c3fb8fc535bc262d651939d0e0e64d27524e0b3d69a0fcb5949bf15b95cfd8

SHA512
9124ae5c818f705197a2e95066154a6830d72b95740c9c554b3806fcdbc41512478f4fd5030ddb1455a75510a00322290ed1f48130ffac7249f081e29f553e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tncp1fjt9abk6t0jixa
Filesize
103KB

MD5
319376065eac95e66d55c24aa65dec10

SHA1
258e258b757afaa43f03a511e18d829a95ad9ea9

SHA256
cc2ae0ea640bbca548f5bd678f8ee63cc0b7e3d47e4fa7bcccd38aa7545a8f64

SHA512
a3bf5629777de003ac8d30eaefa066d4acde3951458f38ec86dcfba7d09077f28a2088155c8111079c77fdda86c46ab8ed07016a000319fd23bde2840ef29076

Download Submit
memory/1176-135-0x0000000000000000-mapping.dmp

Download
memory/1176-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1176-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1176-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3428-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads