lokibot | 3bd28e886cb9367751d223ed38e086bb55ed4dbd737cd2060c9b5d5dab5a56e1

General

Target

Request For Quotation.exe
Size

666KB
MD5

d903149bfb01a43a2afafddcbb9f2ff5
SHA1

37b4111dc0f14a7e156c1bfa0c57be2f8c62f540
SHA256

1c6998eb17cf21837fa8153add76ce113846aa94e96d089687fce38c25bbd31f
SHA512

059db520c92103fbf43c5fa66bc104f559541e9119d3dcc83825966d72127bb93ef936d6db6869fda4c1c3b8bb35ef556302bb523fb1cb9b376867844b4b891b

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Request For Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Request For Quotation.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Request For Quotation.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Request For Quotation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request For Quotation.exe

description pid process target process

PID 2992 set thread context of 3428 2992 Request For Quotation.exe Request For Quotation.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Request For Quotation.exe

pid process

2992 Request For Quotation.exe
2992 Request For Quotation.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Request For Quotation.exe

pid process

2992 Request For Quotation.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Request For Quotation.exe

pid process

3428 Request For Quotation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request For Quotation.exe

description pid process

Token: SeDebugPrivilege 3428 Request For Quotation.exe

description	pid	process	target process
PID 2992 set thread context of 3428	2992	Request For Quotation.exe	Request For Quotation.exe

pid	process
2992	Request For Quotation.exe
2992	Request For Quotation.exe

pid	process
2992	Request For Quotation.exe

pid	process
3428	Request For Quotation.exe

description	pid	process
Token: SeDebugPrivilege	3428	Request For Quotation.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Request For Quotation.exe

description	pid	process	target process
PID 2992 wrote to memory of 3428	2992	Request For Quotation.exe	Request For Quotation.exe
PID 2992 wrote to memory of 3428	2992	Request For Quotation.exe	Request For Quotation.exe
PID 2992 wrote to memory of 3428	2992	Request For Quotation.exe	Request For Quotation.exe

outlook_office_path 1 IoCs

Processes:

Request For Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Request For Quotation.exe

outlook_win_path 1 IoCs

Processes:

Request For Quotation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Request For Quotation.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-131-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/3428-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads