lokibot | f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e

General

Target

tmp.exe
Size

505KB
MD5

42bbd99a0ea0fcc5a3f9e6331277cc14
SHA1

fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d
SHA256

f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e
SHA512

5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://85.202.169.172/remote/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	tmp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1948 set thread context of 1764 1948 tmp.exe tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1416 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

tmp.exepowershell.exe

pid process

1948 tmp.exe
1948 tmp.exe
1420 powershell.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

tmp.exe

pid process

1764 tmp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exepowershell.exetmp.exe

description pid process

Token: SeDebugPrivilege 1948 tmp.exe
Token: SeDebugPrivilege 1420 powershell.exe
Token: SeDebugPrivilege 1764 tmp.exe

description	pid	process	target process
PID 1948 set thread context of 1764	1948	tmp.exe	tmp.exe

pid	process
1416	schtasks.exe

pid	process
1948	tmp.exe
1948	tmp.exe
1420	powershell.exe

pid	process
1764	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1948	tmp.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1764	tmp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1948 wrote to memory of 1420	1948	tmp.exe	powershell.exe
PID 1948 wrote to memory of 1420	1948	tmp.exe	powershell.exe
PID 1948 wrote to memory of 1420	1948	tmp.exe	powershell.exe
PID 1948 wrote to memory of 1420	1948	tmp.exe	powershell.exe
PID 1948 wrote to memory of 1416	1948	tmp.exe	schtasks.exe
PID 1948 wrote to memory of 1416	1948	tmp.exe	schtasks.exe
PID 1948 wrote to memory of 1416	1948	tmp.exe	schtasks.exe
PID 1948 wrote to memory of 1416	1948	tmp.exe	schtasks.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe
PID 1948 wrote to memory of 1764	1948	tmp.exe	tmp.exe

outlook_office_path 1 IoCs

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tmp.exe

outlook_win_path 1 IoCs

Processes:

tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oThZSjpokwnYHu.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oThZSjpokwnYHu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACD4.tmp"
2⤵
- Creates scheduled task(s)
PID:1416

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpACD4.tmp
Filesize
1KB

MD5
53234fa2569da8bb860cfd0e7c1394c9

SHA1
3fdada4fe119e0a9d0116c62ee99427411656f38

SHA256
32814fc546f40735977160f6e012d9c76d5c96cf9439d0ec4b26cc2c7187bf34

SHA512
bde5ca4621254c3562f25528dfa8b5229c2085e681daeb4d5bdb57784b9fa811e74b6a51a9622491e70e8a6d62e85fa89bdb986583d9c5bf8087b884e6e7babe

Download Submit
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1420-58-0x0000000000000000-mapping.dmp

Download
memory/1420-76-0x000000006EA80000-0x000000006F02B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-72-0x00000000004139DE-mapping.dmp

Download
memory/1764-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1764-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1948-54-0x0000000000F30000-0x0000000000FB4000-memory.dmp

Filesize
528KB

Download
memory/1948-57-0x0000000004800000-0x0000000004870000-memory.dmp

Filesize
448KB

Download
memory/1948-62-0x00000000048A0000-0x00000000048C0000-memory.dmp

Filesize
128KB

Download
memory/1948-55-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads