lokibot | 8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950

General

Target

8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
Size

177KB
MD5

39fb96cbed18cbc33856518a6ea2311a
SHA1

94e683d0d8456adc960c735f5bc9d45970350c1e
SHA256

8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950
SHA512

65e45cabbdff8b57324276ac121524e4de1880cf6fb45d8dc29c2cfbfeaede87c84213208671f375800233d9fb79148fdff6a65c1fda56f5da0e98ff2a14a009

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

nazbeb.exenazbeb.exe

pid process

1732 nazbeb.exe
1392 nazbeb.exe

pid	process
1732	nazbeb.exe
1392	nazbeb.exe

Loads dropped DLL 3 IoCs

Processes:

8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exenazbeb.exe

pid	process
1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
1732	nazbeb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

nazbeb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nazbeb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	nazbeb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nazbeb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

nazbeb.exe

description pid process target process

PID 1732 set thread context of 1392 1732 nazbeb.exe nazbeb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nazbeb.exe

description pid process

Token: SeDebugPrivilege 1392 nazbeb.exe

description	pid	process	target process
PID 1732 set thread context of 1392	1732	nazbeb.exe	nazbeb.exe

description	pid	process
Token: SeDebugPrivilege	1392	nazbeb.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exenazbeb.exe

description	pid	process	target process
PID 1880 wrote to memory of 1732	1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe	nazbeb.exe
PID 1880 wrote to memory of 1732	1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe	nazbeb.exe
PID 1880 wrote to memory of 1732	1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe	nazbeb.exe
PID 1880 wrote to memory of 1732	1880	8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe
PID 1732 wrote to memory of 1392	1732	nazbeb.exe	nazbeb.exe

outlook_office_path 1 IoCs

Processes:

nazbeb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	nazbeb.exe

outlook_win_path 1 IoCs

Processes:

nazbeb.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	nazbeb.exe

C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
"C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
  C:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
    C:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11itn4vgjwi7rbw698y9

Filesize
103KB

MD5
c590478e77c9e019771b181b13362629

SHA1
1fd2f2fafe2c95b75e422d869ee49e0fc9f19e5f

SHA256
709531c7ef6151725bc0e68d2b50bb87cc5f85243adab511fc630d493541ec4b

SHA512
fd0fde6af028c0f40b17e488c9cfd7beaeebadd082a22c5a5a39ea229d2a27d03c7fb4bf3efd7c3fda2cd17184d15a17e76e97f3480e30ba84750516d30e5fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyioadmvle

Filesize
4KB

MD5
1108a516c107c60ccf1430555efbad88

SHA1
0234f6a73f558d6e472d996ced13f9536cb6f369

SHA256
49a11ac8bbc855a3e73e62941328d38cc9047ef3eddb018d06609f1d48c0e0a8

SHA512
24315f41f1a124bcaee04c0cda5406c142a65ab3fcb589a23551deb7df3b3f1a5bce2b04a949733bbe0ceefb3f4d60b04d8c25cd350abf28ddf0c51279e29597

Download Submit
C:\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
\Users\Admin\AppData\Local\Temp\nazbeb.exe

Filesize
73KB

MD5
0d1ab370889916ecbf81e1526953f688

SHA1
14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

SHA256
1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

SHA512
259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

Download Submit
memory/1392-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1392-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1392-64-0x00000000004139DE-mapping.dmp

Download
memory/1392-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads