lokibot | f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8

General

Target

f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe
Size

310KB
MD5

0c5c5af36d67e89a321bff54e6f6e431
SHA1

d894a2ab68371b6661468c6906648cd11f38ff32
SHA256

f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8
SHA512

fcd788eb744423db5169362a11ca7a16408bb54fccb79ed375342e6715de92bb3dcfd4c93472f71ec9be14b9d97460f95a731f3a2865f0c51977644f6c7da9fd

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

kewso.exekewso.exe

pid process

3040 kewso.exe
3032 kewso.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3040	kewso.exe
3032	kewso.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

kewso.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kewso.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kewso.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	kewso.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kewso.exe

description pid process target process

PID 3040 set thread context of 3032 3040 kewso.exe kewso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kewso.exe

description pid process

Token: SeDebugPrivilege 3032 kewso.exe

description	pid	process	target process
PID 3040 set thread context of 3032	3040	kewso.exe	kewso.exe

description	pid	process
Token: SeDebugPrivilege	3032	kewso.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exekewso.exe

description	pid	process	target process
PID 2480 wrote to memory of 3040	2480	f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe	kewso.exe
PID 2480 wrote to memory of 3040	2480	f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe	kewso.exe
PID 2480 wrote to memory of 3040	2480	f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe
PID 3040 wrote to memory of 3032	3040	kewso.exe	kewso.exe

outlook_office_path 1 IoCs

Processes:

kewso.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kewso.exe

outlook_win_path 1 IoCs

Processes:

kewso.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kewso.exe

C:\Users\Admin\AppData\Local\Temp\f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe
"C:\Users\Admin\AppData\Local\Temp\f711d2623368f02a5857f7bc62e647800077b2abd9efe0b3040dcb0bac4a50c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\kewso.exe
C:\Users\Admin\AppData\Local\Temp\kewso.exe C:\Users\Admin\AppData\Local\Temp\vrodx
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\kewso.exe
C:\Users\Admin\AppData\Local\Temp\kewso.exe C:\Users\Admin\AppData\Local\Temp\vrodx
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kewso.exe
Filesize
3KB

MD5
578700b75b00ba190a9f816ad0520040

SHA1
8a95becfac02a16a54a73fc300c14057cd6ed161

SHA256
da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab

SHA512
a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\kewso.exe
Filesize
3KB

MD5
578700b75b00ba190a9f816ad0520040

SHA1
8a95becfac02a16a54a73fc300c14057cd6ed161

SHA256
da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab

SHA512
a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\kewso.exe
Filesize
3KB

MD5
578700b75b00ba190a9f816ad0520040

SHA1
8a95becfac02a16a54a73fc300c14057cd6ed161

SHA256
da2c014a9326f97a85d46d96eeaf6a92991ca0bb80b43ed77b77bd576053aaab

SHA512
a2b42af08b528a120b3b0b10a7fcef7205b4922ccfccd19eec5d4062742726bd6cec24349419bfb6a284a11b2da78513d3952c775b3b4a55919e37d6ebceaa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrodx
Filesize
4KB

MD5
69fa624ce367d56532cb855bc21e6c13

SHA1
b22ada140bfbe21aeb379105c643ee391ec95dd9

SHA256
bf709b82d2a61eca3ea7b3d14df110dfa4f5097205c6a58adcbfbba83af11594

SHA512
b3e4cbbc0c7bd270d12a51d9ff810e5509b367723303384fe15fd84ba5eb841913ec445e3177c7327d4cda6d7bde6cf758473a065eb6fce1bae951b3d2689a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1qigbqbal
Filesize
103KB

MD5
2ba8bbd4f80b845a3097390794e5afbe

SHA1
7ed6016e8f4de46f794dfdd702fc085770fd9c75

SHA256
0d837989e64a6df744e5a916c8661f9a9eab377c565abd99b7d73c6f7958cfce

SHA512
d443281e9bbb2e5947d0df9cc806814e82ea2358ab39f8cbfc7c42a7ad3f923152cdd6e9a217ba8b75d17a2e34dcd3180019486061c15960107dc3253b1c3aa8

Download Submit
memory/3032-135-0x0000000000000000-mapping.dmp

Download
memory/3032-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3032-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3032-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3040-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads