lokibot | c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f

General

Target

c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe
Size

320KB
MD5

9d85837c19f17bb41eb39aaa6c608b74
SHA1

e5dfb98dde09cf621cdeb96c491e5f23510ee37a
SHA256

c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f
SHA512

43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e

Score

10^/10

lokibot collection persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://mellle.com/ses/Panel/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

kernelsystmgr.exekernelsystmgr.exe

pid process

220 kernelsystmgr.exe
4356 kernelsystmgr.exe

pid	process
220	kernelsystmgr.exe
4356	kernelsystmgr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

kernelsystmgr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kernelsystmgr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	kernelsystmgr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kernelsystmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kernelsystmgr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemkernel = "C:\\Users\\Admin\\AppData\\Local\\kernelsystmgr.exe"	kernelsystmgr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kernelsystmgr.exe

description pid process target process

PID 220 set thread context of 4356 220 kernelsystmgr.exe kernelsystmgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 220 set thread context of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exekernelsystmgr.exe

description	pid	process
Token: SeDebugPrivilege	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe
Token: SeDebugPrivilege	220	kernelsystmgr.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.execmd.exekernelsystmgr.exe

description	pid	process	target process
PID 3468 wrote to memory of 3112	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 3468 wrote to memory of 3112	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 3468 wrote to memory of 3112	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 3468 wrote to memory of 4152	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 3468 wrote to memory of 4152	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 3468 wrote to memory of 4152	3468	c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe	cmd.exe
PID 4152 wrote to memory of 220	4152	cmd.exe	kernelsystmgr.exe
PID 4152 wrote to memory of 220	4152	cmd.exe	kernelsystmgr.exe
PID 4152 wrote to memory of 220	4152	cmd.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe
PID 220 wrote to memory of 4356	220	kernelsystmgr.exe	kernelsystmgr.exe

outlook_office_path 1 IoCs

Processes:

kernelsystmgr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kernelsystmgr.exe

outlook_win_path 1 IoCs

Processes:

kernelsystmgr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kernelsystmgr.exe

C:\Users\Admin\AppData\Local\Temp\c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe
"C:\Users\Admin\AppData\Local\Temp\c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f.exe" "C:\Users\Admin\AppData\Local\kernelsystmgr.exe"
2⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\kernelsystmgr.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\kernelsystmgr.exe
"C:\Users\Admin\AppData\Local\kernelsystmgr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\kernelsystmgr.exe
"C:\Users\Admin\AppData\Local\kernelsystmgr.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kernelsystmgr.exe
Filesize
320KB

MD5
9d85837c19f17bb41eb39aaa6c608b74

SHA1
e5dfb98dde09cf621cdeb96c491e5f23510ee37a

SHA256
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f

SHA512
43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e

Download Submit
C:\Users\Admin\AppData\Local\kernelsystmgr.exe
Filesize
320KB

MD5
9d85837c19f17bb41eb39aaa6c608b74

SHA1
e5dfb98dde09cf621cdeb96c491e5f23510ee37a

SHA256
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f

SHA512
43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e

Download Submit
C:\Users\Admin\AppData\Local\kernelsystmgr.exe
Filesize
320KB

MD5
9d85837c19f17bb41eb39aaa6c608b74

SHA1
e5dfb98dde09cf621cdeb96c491e5f23510ee37a

SHA256
c7e2727f98b868dad9cc7de6d9c378d27fd3a29eea6589739d36e7309773241f

SHA512
43e6f3e48cd0fee2f996a84adc0235a8ac5a9cdc5a969d2a21a9c859b402469d8a72aa5216d122e2c2df7d7c38903ce8177c1fc47a1851183e5c65352829944e

Download Submit
memory/220-136-0x0000000000000000-mapping.dmp

Download
memory/3112-134-0x0000000000000000-mapping.dmp

Download
memory/3468-133-0x00000000060C0000-0x0000000006664000-memory.dmp

Filesize
5.6MB

Download
memory/3468-130-0x0000000000A20000-0x0000000000A76000-memory.dmp

Filesize
344KB

Download
memory/3468-132-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/3468-131-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4152-135-0x0000000000000000-mapping.dmp

Download
memory/4356-139-0x0000000000000000-mapping.dmp

Download
memory/4356-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-143-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4356-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads