lokibot | 610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0

General

Target

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
Size

281KB
MD5

45eb7b4ef35da0d16a5536cdaa9c7799
SHA1

0a874599297d2aa5ae66643fd2fcc2cc3a533a12
SHA256

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0
SHA512

39c9efd66075046cd97d4a56e648426a5c1ff0278eefc04aa12c17518b7bd323fff92fb47d2915cfbc05583029dbbe37e5c58a5679c2b890f18c5d4ecfdc096c

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=73724919769333816

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

kvzmznkwrn.exekvzmznkwrn.exe

pid process

4656 kvzmznkwrn.exe
4700 kvzmznkwrn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4656	kvzmznkwrn.exe
4700	kvzmznkwrn.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

kvzmznkwrn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kvzmznkwrn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	kvzmznkwrn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kvzmznkwrn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kvzmznkwrn.exe

description pid process target process

PID 4656 set thread context of 4700 4656 kvzmznkwrn.exe kvzmznkwrn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kvzmznkwrn.exe

description pid process

Token: SeDebugPrivilege 4700 kvzmznkwrn.exe

description	pid	process	target process
PID 4656 set thread context of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe

description	pid	process
Token: SeDebugPrivilege	4700	kvzmznkwrn.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exekvzmznkwrn.exe

description	pid	process	target process
PID 2128 wrote to memory of 4656	2128	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 2128 wrote to memory of 4656	2128	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 2128 wrote to memory of 4656	2128	610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe
PID 4656 wrote to memory of 4700	4656	kvzmznkwrn.exe	kvzmznkwrn.exe

outlook_office_path 1 IoCs

Processes:

kvzmznkwrn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	kvzmznkwrn.exe

outlook_win_path 1 IoCs

Processes:

kvzmznkwrn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	kvzmznkwrn.exe

C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe
"C:\Users\Admin\AppData\Local\Temp\610a3b3d5908f770afc5198c6c9aece8b28afedabd492fa90d602df8e1915aa0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvzmznkwrn.exe
Filesize
4KB

MD5
7af6fd7843eb2d383a08f3d9d41eab61

SHA1
cb5f684c50baa6dfedc148b3b629fecb9b5eb8ba

SHA256
de0074a87982eaf5cf6fc02dc2ca578d209a85665ba458dd1148aeb8ff980765

SHA512
7607efd28cdb8ee686a50d7977892729d4999613b01e2c7d8c588fd06ec0dad8e54975fbedf33969a1c2f150ba0a8ec70b1130fd895317648203468aa7a9ed75

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmpaltjdd
Filesize
5KB

MD5
df54e923813902f353c2ccc8d89e5e97

SHA1
fba331d592bbf07a4320506f76d73c835ef573fa

SHA256
1d0f324a41cfbf8d29d1f91401c58f1283ac4209419dec4d0dfd2ddd0bb718f1

SHA512
c097e478e386a666f8ff322e437c3bab24399c1dab373708867c7600be9209add688d85752393639ff5500c67eef19580cafaa108e4bfbb066ae9717335a38ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\snpdt7niup2cx7xuu
Filesize
103KB

MD5
4e7bfc3bd7bb656eab1d23d27854861e

SHA1
564e95e844719d7d9b6c865a9091cbc950c8ae09

SHA256
7eb949429704877f655fc47d164223aa96f791377f200eee42402d4dd4b9c0aa

SHA512
f253033d221f0f42236514d02253aed87125d8005bae8f46e3144c7d5c00124a4bf97404b5313bbfe266664c683537d7ba33e6af6b60df164610bae1b32bef2c

Download Submit
memory/4656-130-0x0000000000000000-mapping.dmp

Download
memory/4700-135-0x0000000000000000-mapping.dmp

Download
memory/4700-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4700-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4700-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads