lokibot | 9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

General

Target

tmp.exe
Size

178KB
MD5

fefc2d8ef05916189407d8917c61ba13
SHA1

92aa5269b897b91a220dbb70ac54c27807486fa4
SHA256

9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e
SHA512

8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

owtepue.exeowtepue.exe

pid process

4008 owtepue.exe
1992 owtepue.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4008	owtepue.exe
1992	owtepue.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

owtepue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	owtepue.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	owtepue.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	owtepue.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

owtepue.exe

description pid process target process

PID 4008 set thread context of 1992 4008 owtepue.exe owtepue.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

owtepue.exe

description pid process

Token: SeDebugPrivilege 1992 owtepue.exe

description	pid	process	target process
PID 4008 set thread context of 1992	4008	owtepue.exe	owtepue.exe

description	pid	process
Token: SeDebugPrivilege	1992	owtepue.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeowtepue.exe

description	pid	process	target process
PID 2060 wrote to memory of 4008	2060	tmp.exe	owtepue.exe
PID 2060 wrote to memory of 4008	2060	tmp.exe	owtepue.exe
PID 2060 wrote to memory of 4008	2060	tmp.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe
PID 4008 wrote to memory of 1992	4008	owtepue.exe	owtepue.exe

outlook_office_path 1 IoCs

Processes:

owtepue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	owtepue.exe

outlook_win_path 1 IoCs

Processes:

owtepue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	owtepue.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\owtepue.exe
C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\owtepue.exe
C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duiuz
Filesize
4KB

MD5
fab39498d9d8ab6c001b8a5686df166e

SHA1
0662834f2105f0e0e5434c8edb687cb0af8f0160

SHA256
eb7a54c62d7de9d4676111930d34ef53ae1666721a9d6b0a5fbd2e3162342f04

SHA512
1b978527620e57cff441fecc637849a28a0760acbde357a3123ac463ac98590e92f2e80f4d51018f0eaf878800975e749035167072d8c9c02b21578377b709c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owtepue.exe
Filesize
74KB

MD5
8a9fb162d4f5be258225bb2e48b0b052

SHA1
c03d6731af8090439ed1445a10b00dd5df7b7794

SHA256
8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

SHA512
cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owtepue.exe
Filesize
74KB

MD5
8a9fb162d4f5be258225bb2e48b0b052

SHA1
c03d6731af8090439ed1445a10b00dd5df7b7794

SHA256
8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

SHA512
cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\owtepue.exe
Filesize
74KB

MD5
8a9fb162d4f5be258225bb2e48b0b052

SHA1
c03d6731af8090439ed1445a10b00dd5df7b7794

SHA256
8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

SHA512
cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmj21u6p99
Filesize
103KB

MD5
f6866e98eac0add80603f5bb849702bd

SHA1
e4853989141797332545b38d372f891e8905cace

SHA256
c7f68003f9e161790a9268e8e5197967d7358d19e0abdaaa7f7158ca4bed5035

SHA512
0b076eddcf572586573906b59ad75742364e07d94cac40e96d78b24fe2095f41072e95d6d71bf7de2ef132fea4f6aa3c862d495fcee9a32950b8dd84acaec24f

Download Submit
memory/1992-135-0x0000000000000000-mapping.dmp

Download
memory/1992-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1992-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4008-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads