lokibot | 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5

General

Target

6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
Size

122KB
MD5

d85f82b6c267725dbef70ba110f5b972
SHA1

00724c2ed905189cd2b142ee196232b5dbadcdea
SHA256

6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5
SHA512

a9a896237a87bfcfdab0be6d445d730647afa51c48b29826d5dcec27ada75a9325300fd6cd4af673f856cca173285def4aa9f6973e0bca34c3dd4751ee4e9e79

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

tihue.exetihue.exe

pid process

4308 tihue.exe
2868 tihue.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4308	tihue.exe
2868	tihue.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

tihue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tihue.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tihue.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	tihue.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

tihue.exe

description pid process target process

PID 4308 set thread context of 2868 4308 tihue.exe tihue.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tihue.exe

description pid process

Token: SeDebugPrivilege 2868 tihue.exe

description	pid	process	target process
PID 4308 set thread context of 2868	4308	tihue.exe	tihue.exe

description	pid	process
Token: SeDebugPrivilege	2868	tihue.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exetihue.exe

description	pid	process	target process
PID 3936 wrote to memory of 4308	3936	6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe	tihue.exe
PID 3936 wrote to memory of 4308	3936	6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe	tihue.exe
PID 3936 wrote to memory of 4308	3936	6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe
PID 4308 wrote to memory of 2868	4308	tihue.exe	tihue.exe

outlook_office_path 1 IoCs

Processes:

tihue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	tihue.exe

outlook_win_path 1 IoCs

Processes:

tihue.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	tihue.exe

C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
"C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\tihue.exe
C:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\tihue.exe
C:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\djcnqdtoim
Filesize
103KB

MD5
1a405a10e36bcc78e2e0a3cbe47422b3

SHA1
71251c63293b332b6df0d8ca3fb1cfe45b7fa59e

SHA256
274cceb9121ce6fe83e87bde1f680cfd12886fa2dd38205444ee8f1c53d74fe6

SHA512
7de8db3e8edacb13fa0e0bd09f4db22d99407223e923d3f8324045643e77f61d9924644ce1845b0eb18efe7ac6b23f96c8f55d1c566350b49b4e6ec1c70aab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\rigeo
Filesize
4KB

MD5
12cee403cb1ab648b7e851c357379404

SHA1
de22ef29074112b5545c7ac1fd8c169fbb9bf19b

SHA256
a2683d812dea192f89fddcfb8eaf681467d16529dd1a317678e4e8daf02be4a2

SHA512
e744dad640be387c8ade44cfabdcee722368095078b2282ae9fe7abaad037430b47fb6a0e32f319851f13612b47bc5f33a47fccd1736d48a09e10825ad0a9010

Download Submit
C:\Users\Admin\AppData\Local\Temp\tihue.exe
Filesize
4KB

MD5
bc8a8c2aacf92b1406883163082080f7

SHA1
346ca5d693beb75850f5e849f8948b58630f1aec

SHA256
9dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8

SHA512
199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tihue.exe
Filesize
4KB

MD5
bc8a8c2aacf92b1406883163082080f7

SHA1
346ca5d693beb75850f5e849f8948b58630f1aec

SHA256
9dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8

SHA512
199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tihue.exe
Filesize
4KB

MD5
bc8a8c2aacf92b1406883163082080f7

SHA1
346ca5d693beb75850f5e849f8948b58630f1aec

SHA256
9dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8

SHA512
199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff

Download Submit
memory/2868-135-0x0000000000000000-mapping.dmp

Download
memory/2868-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2868-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2868-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4308-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads