tmp

General
Target

tmp.exe

Filesize

178KB

Completed

14-05-2022 14:38

Score
10/10
MD5

fefc2d8ef05916189407d8917c61ba13

SHA1

92aa5269b897b91a220dbb70ac54c27807486fa4

SHA256

9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

Malware Config

Extracted

Family lokibot
C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures 17

Filter: none

Collection
Credential Access
Discovery
  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Description

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    Tags

  • suricata: ET MALWARE LokiBot Checkin

    Description

    suricata: ET MALWARE LokiBot Checkin

    Tags

  • suricata: ET MALWARE LokiBot Fake 404 Response

    Description

    suricata: ET MALWARE LokiBot Fake 404 Response

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    Tags

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Description

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    Tags

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Description

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    Tags

  • Executes dropped EXE
    owtepue.exeowtepue.exe

    Reported IOCs

    pidprocess
    4008owtepue.exe
    1992owtepue.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    owtepue.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookowtepue.exe
    Key opened\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlookowtepue.exe
    Key opened\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookowtepue.exe
  • Suspicious use of SetThreadContext
    owtepue.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4008 set thread context of 19924008owtepue.exeowtepue.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of AdjustPrivilegeToken
    owtepue.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1992owtepue.exe
  • Suspicious use of WriteProcessMemory
    tmp.exeowtepue.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2060 wrote to memory of 40082060tmp.exeowtepue.exe
    PID 2060 wrote to memory of 40082060tmp.exeowtepue.exe
    PID 2060 wrote to memory of 40082060tmp.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
    PID 4008 wrote to memory of 19924008owtepue.exeowtepue.exe
  • outlook_office_path
    owtepue.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookowtepue.exe
  • outlook_win_path
    owtepue.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookowtepue.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
      C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
        C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        PID:1992
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\duiuz

                      MD5

                      fab39498d9d8ab6c001b8a5686df166e

                      SHA1

                      0662834f2105f0e0e5434c8edb687cb0af8f0160

                      SHA256

                      eb7a54c62d7de9d4676111930d34ef53ae1666721a9d6b0a5fbd2e3162342f04

                      SHA512

                      1b978527620e57cff441fecc637849a28a0760acbde357a3123ac463ac98590e92f2e80f4d51018f0eaf878800975e749035167072d8c9c02b21578377b709c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe

                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe

                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe

                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\tmj21u6p99

                      MD5

                      f6866e98eac0add80603f5bb849702bd

                      SHA1

                      e4853989141797332545b38d372f891e8905cace

                      SHA256

                      c7f68003f9e161790a9268e8e5197967d7358d19e0abdaaa7f7158ca4bed5035

                      SHA512

                      0b076eddcf572586573906b59ad75742364e07d94cac40e96d78b24fe2095f41072e95d6d71bf7de2ef132fea4f6aa3c862d495fcee9a32950b8dd84acaec24f

                    • memory/1992-136-0x0000000000400000-0x00000000004A2000-memory.dmp

                    • memory/1992-135-0x0000000000000000-mapping.dmp

                    • memory/1992-139-0x0000000000400000-0x00000000004A2000-memory.dmp

                    • memory/1992-140-0x0000000000400000-0x00000000004A2000-memory.dmp

                    • memory/4008-130-0x0000000000000000-mapping.dmp