lokibot | 187db6cc7bb80fa2a96c1b20d466165d6d453d30028b00a930944e4d91e35f46

General

Target

rfq3076h.pdf.exe
Size

535KB
MD5

fe79a5a3460060e3f01f936f552f5375
SHA1

40de4dd6222835dcd21af77fbfabac03331a89fa
SHA256

6abbb44b66478a1e33b2feb3bb3ab5eda0a1dd7a7e5625a4e9ab82111c302fae
SHA512

348c5a633113d320b4a20811f56134465f5cfed4cb9bb3127c2eeef80dc2db724309069317de379d32e6e1dc41d03f52929aa6f89ad3f22e163849ca930c9648

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://irangoodshop.com/nop/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rfq3076h.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rfq3076h.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	rfq3076h.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rfq3076h.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rfq3076h.pdf.exe

description pid process target process

PID 1744 set thread context of 876 1744 rfq3076h.pdf.exe rfq3076h.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rfq3076h.pdf.exe

pid process

1744 rfq3076h.pdf.exe
1744 rfq3076h.pdf.exe
1744 rfq3076h.pdf.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

rfq3076h.pdf.exe

pid process

876 rfq3076h.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rfq3076h.pdf.exerfq3076h.pdf.exe

description pid process

Token: SeDebugPrivilege 1744 rfq3076h.pdf.exe
Token: SeDebugPrivilege 876 rfq3076h.pdf.exe

description	pid	process	target process
PID 1744 set thread context of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe

pid	process
968	schtasks.exe

pid	process
1744	rfq3076h.pdf.exe
1744	rfq3076h.pdf.exe
1744	rfq3076h.pdf.exe

pid	process
876	rfq3076h.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1744	rfq3076h.pdf.exe
Token: SeDebugPrivilege	876	rfq3076h.pdf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rfq3076h.pdf.exe

description	pid	process	target process
PID 1744 wrote to memory of 968	1744	rfq3076h.pdf.exe	schtasks.exe
PID 1744 wrote to memory of 968	1744	rfq3076h.pdf.exe	schtasks.exe
PID 1744 wrote to memory of 968	1744	rfq3076h.pdf.exe	schtasks.exe
PID 1744 wrote to memory of 968	1744	rfq3076h.pdf.exe	schtasks.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe
PID 1744 wrote to memory of 876	1744	rfq3076h.pdf.exe	rfq3076h.pdf.exe

outlook_office_path 1 IoCs

Processes:

rfq3076h.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	rfq3076h.pdf.exe

outlook_win_path 1 IoCs

Processes:

rfq3076h.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rfq3076h.pdf.exe

C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SbWFfDP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FB2.tmp"
2⤵
- Creates scheduled task(s)
PID:968

C:\Users\Admin\AppData\Local\Temp\rfq3076h.pdf.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1FB2.tmp
Filesize
1KB

MD5
d7f8dff7f47ea4d8fb6b6bd59966fcbc

SHA1
c1a6d0d64d792909de0147065b4340aebc245376

SHA256
263e196572be60a2ad4091094408038e3ebd29860380c8494ed858c77bcc7d18

SHA512
8b387e90c21756afac8f8c2d19ca8b5a391222dedc4d8cca0385e825f44b979a10213f1388540e588ce6b96d89955fea9a6c22dca64e9445f1b1125f08e1d5df

Download Submit
memory/876-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-58-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-59-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-67-0x00000000004139DE-mapping.dmp

Download
memory/876-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/876-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads