lokibot | 73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f

General

Target

73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe
Size

136KB
MD5

a33b751ae80d3c17365e43514e8e64eb
SHA1

4353a2b794b86c90328a51141166e06a6100ab81
SHA256

73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f
SHA512

14cdc7c3122bc5bf5c7ee651ac61000a05bde189cec2884c8385e4f5cc9f30e4f59c23ded4af05f0635def96d6ff5ee1ad5acb80eb0f3d969800548e13519967

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

pbilukxxp.exepbilukxxp.exe

pid process

3396 pbilukxxp.exe
4628 pbilukxxp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3396	pbilukxxp.exe
4628	pbilukxxp.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

pbilukxxp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	pbilukxxp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pbilukxxp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pbilukxxp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pbilukxxp.exe

description pid process target process

PID 3396 set thread context of 4628 3396 pbilukxxp.exe pbilukxxp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pbilukxxp.exe

description pid process

Token: SeDebugPrivilege 4628 pbilukxxp.exe

description	pid	process	target process
PID 3396 set thread context of 4628	3396	pbilukxxp.exe	pbilukxxp.exe

description	pid	process
Token: SeDebugPrivilege	4628	pbilukxxp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exepbilukxxp.exe

description	pid	process	target process
PID 4272 wrote to memory of 3396	4272	73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe	pbilukxxp.exe
PID 4272 wrote to memory of 3396	4272	73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe	pbilukxxp.exe
PID 4272 wrote to memory of 3396	4272	73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe
PID 3396 wrote to memory of 4628	3396	pbilukxxp.exe	pbilukxxp.exe

outlook_office_path 1 IoCs

Processes:

pbilukxxp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	pbilukxxp.exe

outlook_win_path 1 IoCs

Processes:

pbilukxxp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pbilukxxp.exe

C:\Users\Admin\AppData\Local\Temp\73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe
"C:\Users\Admin\AppData\Local\Temp\73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe C:\Users\Admin\AppData\Local\Temp\yuaymhmxy
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe C:\Users\Admin\AppData\Local\Temp\yuaymhmxy
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ln5bae9u5vvvm7j
Filesize
103KB

MD5
bb92d81c9f4f109489a440bb5736dbc9

SHA1
1e8f3bc0a91b6c08feda10356d8d0ddb772e8d69

SHA256
df3f05a647bf65af1590a95f05be3ca05639b9e63405ecdb0a1c92309cf90408

SHA512
93efdf2171fd92c4b6aad5b326900adffba0ee0be10249dafb6a12ea0c8629c6ff3e499b91c0c8e4c18647ce068b904eade4e19aab73845a51dc11c4fe5bd7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe
Filesize
5KB

MD5
8577f84304ec69a2a97bea84a294f3ef

SHA1
031c4deffe9161bd5a46fc32cd37432c0d7b5fd1

SHA256
e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302

SHA512
40067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe
Filesize
5KB

MD5
8577f84304ec69a2a97bea84a294f3ef

SHA1
031c4deffe9161bd5a46fc32cd37432c0d7b5fd1

SHA256
e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302

SHA512
40067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe
Filesize
5KB

MD5
8577f84304ec69a2a97bea84a294f3ef

SHA1
031c4deffe9161bd5a46fc32cd37432c0d7b5fd1

SHA256
e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302

SHA512
40067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuaymhmxy
Filesize
5KB

MD5
c558b829d612fe1fcaa8b8947d917d1c

SHA1
697b1b0d527a72a14c69f9d51cbec4d5dccc2069

SHA256
0c065067f1b7f19cd75bc177124472138879fce559444897cdbaf1c5f6adb58b

SHA512
fb637bbe98faae0685c32908e70b25268f9d497e2b04a0c3d76ef0e57a86c9663a54e48d1557dc51fe4c46a4e4e34e12826d7c0e15bf5ac9f133a45199304b1f

Download Submit
memory/3396-130-0x0000000000000000-mapping.dmp

Download
memory/4628-135-0x0000000000000000-mapping.dmp

Download
memory/4628-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4628-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4628-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads