lokibot | 00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692

General

Target

00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
Size

123KB
MD5

401d189e5da7d6d6d490a4ed29a5538a
SHA1

4111011de3c146560fe3a3f47af2008b4aa49816
SHA256

00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692
SHA512

2808bf54a542c3740f5b8fc370411d86108188dd27e18d3a55c73c36ffe1e1a2380936f32eca024460b3eb0738cb81a24ece55913edcd54b79c089a8e04a9c58

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gf9/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

ytpgwim.exeytpgwim.exe

pid process

556 ytpgwim.exe
1724 ytpgwim.exe

pid	process
556	ytpgwim.exe
1724	ytpgwim.exe

Loads dropped DLL 3 IoCs

Processes:

00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exeytpgwim.exe

pid	process
1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
556	ytpgwim.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ytpgwim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ytpgwim.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ytpgwim.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ytpgwim.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ytpgwim.exe

description pid process target process

PID 556 set thread context of 1724 556 ytpgwim.exe ytpgwim.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ytpgwim.exe

description pid process

Token: SeDebugPrivilege 1724 ytpgwim.exe

description	pid	process	target process
PID 556 set thread context of 1724	556	ytpgwim.exe	ytpgwim.exe

description	pid	process
Token: SeDebugPrivilege	1724	ytpgwim.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exeytpgwim.exe

description	pid	process	target process
PID 1276 wrote to memory of 556	1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe	ytpgwim.exe
PID 1276 wrote to memory of 556	1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe	ytpgwim.exe
PID 1276 wrote to memory of 556	1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe	ytpgwim.exe
PID 1276 wrote to memory of 556	1276	00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe
PID 556 wrote to memory of 1724	556	ytpgwim.exe	ytpgwim.exe

outlook_office_path 1 IoCs

Processes:

ytpgwim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ytpgwim.exe

outlook_win_path 1 IoCs

Processes:

ytpgwim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ytpgwim.exe

C:\Users\Admin\AppData\Local\Temp\00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe
"C:\Users\Admin\AppData\Local\Temp\00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe C:\Users\Admin\AppData\Local\Temp\josjsbh
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe C:\Users\Admin\AppData\Local\Temp\josjsbh
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\josjsbh
Filesize
4KB

MD5
54141003d803a6774429f77e72f34231

SHA1
a54c1851e875801921f128431d4f1c4302e35c7d

SHA256
7e0f406b8c3d315423093bf929a11bd4de1c86648b5f74c325d1743e20da8fa0

SHA512
3fbea261ede6ce8aa0736dd4e2181c79007367646658ed3f32d7e66441edb936254db4d779b8b0e627109a9ac7f9ae1f50c098e39e9ecba419e7e1d012089a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcic4m1id9f4
Filesize
103KB

MD5
5da6fa97c0573a9298ada940e49f03ff

SHA1
1828d419354f69f1855f3ca725383d50853d6dc7

SHA256
462b4de94605cf825c7ce3fac295f891954cc51d863bc6a8383b7ccab77b3bf1

SHA512
1e8d7e2670d053872bd2926b05c500f97ab2e53d050a95dde7b08e622db94e5a0fa2bbd38f281cbc541bcdb51cae68a9a2adbc02c81fed2ab442979a8ff1d458

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
\Users\Admin\AppData\Local\Temp\ytpgwim.exe
Filesize
4KB

MD5
01f85b1c52121942b82d150bd97c9786

SHA1
cb873be9eef8e814693bd80f4386cd4cf6b8689b

SHA256
26f8cd0debfb6ffe5ab0245cfd20a49c80c758a7cc100d62793c34896d3fadfd

SHA512
7deb17425ea0ead8e39319e8888425717baced9d7284219c5d07933d1025bf58651f346ed87c19f219fddef14e603af399e84d105a79986385c086d1ea3ce279

Download Submit
memory/556-57-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1724-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1724-64-0x00000000004139DE-mapping.dmp

Download
memory/1724-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1724-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads