lokibot | 5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8

General

Target

5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe
Size

123KB
MD5

38e8bb23fbdf63faa5c2c8729ac52f9e
SHA1

af0c1011454de922aeb46ebfe7b2276edbb44dfd
SHA256

5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8
SHA512

946e47e624a92515bccff38057ec2d4736a9f87697a1051e3bbc5ed57615d3e9b02002046be429fd2e98dfc03355bfdbeb521717c5d2d89f43d276c6e865dc18

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gg1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 2 IoCs

Processes:

twjdfhat.exetwjdfhat.exe

pid process

3704 twjdfhat.exe
1668 twjdfhat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3704	twjdfhat.exe
1668	twjdfhat.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

twjdfhat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	twjdfhat.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	twjdfhat.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	twjdfhat.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

twjdfhat.exe

description pid process target process

PID 3704 set thread context of 1668 3704 twjdfhat.exe twjdfhat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

twjdfhat.exe

description pid process

Token: SeDebugPrivilege 1668 twjdfhat.exe

description	pid	process	target process
PID 3704 set thread context of 1668	3704	twjdfhat.exe	twjdfhat.exe

description	pid	process
Token: SeDebugPrivilege	1668	twjdfhat.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exetwjdfhat.exe

description	pid	process	target process
PID 3140 wrote to memory of 3704	3140	5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe	twjdfhat.exe
PID 3140 wrote to memory of 3704	3140	5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe	twjdfhat.exe
PID 3140 wrote to memory of 3704	3140	5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe
PID 3704 wrote to memory of 1668	3704	twjdfhat.exe	twjdfhat.exe

outlook_office_path 1 IoCs

Processes:

twjdfhat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	twjdfhat.exe

outlook_win_path 1 IoCs

Processes:

twjdfhat.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	twjdfhat.exe

C:\Users\Admin\AppData\Local\Temp\5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe
"C:\Users\Admin\AppData\Local\Temp\5833f2478df7361541589bbcf434e1dabf7fc39df6ae27ceda406c3e057fb5a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe C:\Users\Admin\AppData\Local\Temp\fnurus
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704

C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe C:\Users\Admin\AppData\Local\Temp\fnurus
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fnurus
Filesize
4KB

MD5
1bc7985314600a6d3e62bc76d8613a26

SHA1
eb8516476f0852cf68b7bb796303b5d69a97a8ec

SHA256
32d5e8d03e5777807baacc6eeec0833d4d8954f3dfced02319c0845105af70c4

SHA512
f2059fd773991175a43a8dc6ac5a47a58ad25492f65995d42a8493e5a862e55ad2c267e83cf768c60b41f183cc33293b667e21a1df935f6be78dc1cf4f959cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\q92u2x0i2ub
Filesize
103KB

MD5
36eea639be68bb1e307e6c6498f61db5

SHA1
6aefc02c5048ac963d981ffbde6552af91e0ad5b

SHA256
3c52c3cc218e95b76176336c081ea6f39c54df479b546ce3f30c630eff707aba

SHA512
c9cbb6d23b2bb266d311cad506665d33a7f4caf66ccedc661b7f95974fd098d2b3d434c66c804794e89d7f719c6233129af15eb1e836653182e70161d9f1b7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe
Filesize
4KB

MD5
2e1ee51e95d264491a184b3b2726d08f

SHA1
977003cdad28e163f049fa82d904f40c370ae270

SHA256
c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49

SHA512
a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe
Filesize
4KB

MD5
2e1ee51e95d264491a184b3b2726d08f

SHA1
977003cdad28e163f049fa82d904f40c370ae270

SHA256
c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49

SHA512
a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\twjdfhat.exe
Filesize
4KB

MD5
2e1ee51e95d264491a184b3b2726d08f

SHA1
977003cdad28e163f049fa82d904f40c370ae270

SHA256
c113a90b83ad5bc5afc80550b62301c5d52575356cfc5d16526ade992a818a49

SHA512
a43a57f618d75c29330b3297c5d72e22113b0c2a0f539e1135c9b08c857a457d60d09eb451b2ac938e50f661414629c220f5dd1f1234d1c0d590931fcbe70f02

Download Submit
memory/1668-135-0x0000000000000000-mapping.dmp

Download
memory/1668-136-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1668-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1668-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3704-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads