lokibot | 493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4

General

Target

493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
Size

178KB
MD5

1b7cb251107fbaf8b865b9e8e8c23e25
SHA1

f5200902d1f9b10b6f132463c4fc5bf1b97a8e59
SHA256

493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4
SHA512

2d2d59408a72f632028d288e3fdaf352972d4fb9869d904c9c9a43e325f9d5037449ddc2bc04ac46688ae77058f27fba2f7c834f1e49188a5cc42d3bc9516e9d

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

tzrndxsw.exetzrndxsw.exe

pid process

1928 tzrndxsw.exe
1092 tzrndxsw.exe

pid	process
1928	tzrndxsw.exe
1092	tzrndxsw.exe

Loads dropped DLL 3 IoCs

Processes:

493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exetzrndxsw.exe

pid	process
1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
1928	tzrndxsw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

tzrndxsw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tzrndxsw.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	tzrndxsw.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tzrndxsw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tzrndxsw.exe

description pid process target process

PID 1928 set thread context of 1092 1928 tzrndxsw.exe tzrndxsw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tzrndxsw.exe

description pid process

Token: SeDebugPrivilege 1092 tzrndxsw.exe

description	pid	process	target process
PID 1928 set thread context of 1092	1928	tzrndxsw.exe	tzrndxsw.exe

description	pid	process
Token: SeDebugPrivilege	1092	tzrndxsw.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exetzrndxsw.exe

description	pid	process	target process
PID 1356 wrote to memory of 1928	1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe	tzrndxsw.exe
PID 1356 wrote to memory of 1928	1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe	tzrndxsw.exe
PID 1356 wrote to memory of 1928	1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe	tzrndxsw.exe
PID 1356 wrote to memory of 1928	1356	493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe
PID 1928 wrote to memory of 1092	1928	tzrndxsw.exe	tzrndxsw.exe

outlook_office_path 1 IoCs

Processes:

tzrndxsw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tzrndxsw.exe

outlook_win_path 1 IoCs

Processes:

tzrndxsw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tzrndxsw.exe

C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
"C:\Users\Admin\AppData\Local\Temp\493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe C:\Users\Admin\AppData\Local\Temp\fkadovhmh
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\89p56xdwxv2
Filesize
103KB

MD5
92f8c1994c861febb9ffc97da882ad11

SHA1
78c9f199af76b9c6ae8385c3177872391d43467f

SHA256
671c18fac11f0d50d0aa9fb90ba6effb5c681253ff4cc2b8a3026fa4361db60a

SHA512
17f9452aa5e84e8392d1caf7254c286a2b35549ca7d7d705cd1896ca99d03a2c5ac349f71697ab59f8b82a602faf3dbc271e6cddbcf043fe156cb649a5e17889

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkadovhmh
Filesize
5KB

MD5
ad19cf6349a32767647001b636f21414

SHA1
810132804236dd9336fb448fd255726e2464f12d

SHA256
ebbf676fbd4fe9937353e7e12eb9cde5d0e7ad0c997e8735a5b34035d6675ef8

SHA512
70cd1a3eae60024d5c457884ae1400322fbf2d8f52032f082893c986b14fc7ab6d5263ce2b9e229315f5acaebde9f2fdd2fabd8b53622dd26fbaca728f3807e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
\Users\Admin\AppData\Local\Temp\tzrndxsw.exe
Filesize
73KB

MD5
757c8a784addcf00d1afb36e3a8ef83e

SHA1
4b25fb555514ef55bc0d4fde46ae6bbac761c695

SHA256
e9d1b8b87b1628919340293715e46a3d83a964fb7de41725dee6afd0b0e2f3bc

SHA512
10d003b3738c5416a8575be7430f643c6d77209d7826e194352287b69bc00b0211603931affd45aa3933f49c5f967e840204c37beac809ea594d4af146f6050a

Download Submit
memory/1092-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1092-64-0x00000000004139DE-mapping.dmp

Download
memory/1092-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1092-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1356-54-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1928-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads