lokibot | 92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c

General

Target

92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe
Size

136KB
MD5

7b7351bdf7eec81ce0dcb0c1cdd097b8
SHA1

1339f6f177c514fef63a9caebe319e40430fddcd
SHA256

92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c
SHA512

9b96a434e49df6a74ae6ec42f8a1cfdd10f60efbacbacf285462c15e29c11b83d4542e7c088022ffac7f3e78be011ed2bf9623615a4fa7e44ed52502750b2a98

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg7/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

dyyjmvr.exedyyjmvr.exe

pid process

1268 dyyjmvr.exe
456 dyyjmvr.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1268	dyyjmvr.exe
456	dyyjmvr.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dyyjmvr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dyyjmvr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dyyjmvr.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dyyjmvr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dyyjmvr.exe

description pid process target process

PID 1268 set thread context of 456 1268 dyyjmvr.exe dyyjmvr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dyyjmvr.exe

description pid process

Token: SeDebugPrivilege 456 dyyjmvr.exe

description	pid	process	target process
PID 1268 set thread context of 456	1268	dyyjmvr.exe	dyyjmvr.exe

description	pid	process
Token: SeDebugPrivilege	456	dyyjmvr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exedyyjmvr.exe

description	pid	process	target process
PID 4160 wrote to memory of 1268	4160	92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe	dyyjmvr.exe
PID 4160 wrote to memory of 1268	4160	92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe	dyyjmvr.exe
PID 4160 wrote to memory of 1268	4160	92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe
PID 1268 wrote to memory of 456	1268	dyyjmvr.exe	dyyjmvr.exe

outlook_office_path 1 IoCs

Processes:

dyyjmvr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dyyjmvr.exe

outlook_win_path 1 IoCs

Processes:

dyyjmvr.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dyyjmvr.exe

C:\Users\Admin\AppData\Local\Temp\92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe
"C:\Users\Admin\AppData\Local\Temp\92496ca3cab558812f1f042cb8ccd6374ed9b75409bc8ec03bb81b93b1371c0c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe C:\Users\Admin\AppData\Local\Temp\zronrnvqf
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe C:\Users\Admin\AppData\Local\Temp\zronrnvqf
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8g1ny0ms8occjfzv
Filesize
103KB

MD5
6ea252077407f2cfed0c747acef2f9b5

SHA1
03efde1c13297a85b487dc8790bb505aa07f45fa

SHA256
daa4358d0071874e53af806b4646510b923ae06076d22f2117cd0fb252de2de2

SHA512
330ee52d434e2c1670c2cfc59f479188ec6f271e2ff76ff6debbba6f0ebaf6f29a89ca7220c4bcc88e6cf9c93a1a9c99270795a2cbe36e41b53d97497e5bce8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe
Filesize
5KB

MD5
ee3c8362e827ee7d08144634c50ba4cb

SHA1
6dcbb113268393faef838dccca56cadf86f387fc

SHA256
5f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568

SHA512
3667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe
Filesize
5KB

MD5
ee3c8362e827ee7d08144634c50ba4cb

SHA1
6dcbb113268393faef838dccca56cadf86f387fc

SHA256
5f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568

SHA512
3667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dyyjmvr.exe
Filesize
5KB

MD5
ee3c8362e827ee7d08144634c50ba4cb

SHA1
6dcbb113268393faef838dccca56cadf86f387fc

SHA256
5f00dea5dd6cffcdae4c24700236ed168fcff3c2741bbdb2ce5d9a964b3a3568

SHA512
3667a45681cdfdecc754dd302a98954307f270c0564d3adf03cdf0f0139b4fa85d16e0283d9078e4885c3076baef1c5857c78a1619536855b93069f882c7c5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zronrnvqf
Filesize
4KB

MD5
f478fd677105ef45c220a1f7518522b6

SHA1
027c56667159b329325159fb0725ab3044fa34e5

SHA256
a0070ce8238c965c6044ecbb2bb9fcb4eacf546796666d4d1ad2cb25f67d5455

SHA512
360beab1b07d68dda8d48a9d83a0e0c28122c6661a8f07b3a86597f05dc930c78e9fc2680e7be5ce07f812109747a12a673cfd2966e0c8cacceb92bdeafc7e12

Download Submit
memory/456-135-0x0000000000000000-mapping.dmp

Download
memory/456-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/456-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/456-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads