lokibot | 06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073

Analysis

max time kernel
111s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
31-05-2022 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe
Size

1.7MB
MD5

2a3c99efdf911432be4a154eba65d280
SHA1

283f7b1db8ca593fcd3a34795e6ab3adcb7d01c5
SHA256

06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073
SHA512

2688a925c2e70116683e6b19c8865d858c74e93f9b47f95f11d5587fab62592eb693831e8bc1b969fc3423cd3f379c4c0daa64b7f819a28247c60bbf3c15abc1

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

http://jalango.co.ke/js/loki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

iheuche009.hopto.org:1199

Attributes

activex_autorun
true
activex_key
{4QIS0Y00-K788-3BRR-G510-L26XY452725R}
copy_executable
true
delete_original
false
host_id
Bushbush
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
RjCRIvgp
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Avast
use_mutex
true

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022ede-139.dat	netwire
behavioral2/files/0x0007000000022ede-138.dat	netwire
behavioral2/files/0x0006000000022ee0-141.dat	netwire
behavioral2/files/0x0006000000022ee0-142.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

Executes dropped EXE 3 IoCs

Processes:

build.exeHost.exeHost.exe

pid	Process
1180	build.exe
2364	Host.exe
1384	Host.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	build.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avast = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe

description	pid	Process	procid_target
PID 4392 set thread context of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description	pid	Process
Token: SeDebugPrivilege	1180	build.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exeHost.exe

description	pid	Process	procid_target
PID 4392 wrote to memory of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86
PID 4392 wrote to memory of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86
PID 4392 wrote to memory of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86
PID 4392 wrote to memory of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86
PID 4392 wrote to memory of 1332	4392	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	86
PID 1332 wrote to memory of 1180	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	87
PID 1332 wrote to memory of 1180	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	87
PID 1332 wrote to memory of 1180	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	87
PID 1332 wrote to memory of 2364	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	89
PID 1332 wrote to memory of 2364	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	89
PID 1332 wrote to memory of 2364	1332	06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe	89
PID 2364 wrote to memory of 1384	2364	Host.exe	90
PID 2364 wrote to memory of 1384	2364	Host.exe	90
PID 2364 wrote to memory of 1384	2364	Host.exe	90

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe

C:\Users\Admin\AppData\Local\Temp\06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe
"C:\Users\Admin\AppData\Local\Temp\06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe
  "C:\Users\Admin\AppData\Local\Temp\06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\Host.exe
    "C:\Users\Admin\AppData\Local\Temp\Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
31ea420cf590a09f3639ed320d8de2fc

SHA1
319f73ee5cc10659d861c40fabb74d9b6aca805d

SHA256
7bedfd941d0a8d44fed08f9d2b9c8c5fcf1964815f15f5b6678d20450186c775

SHA512
6d4ab4e287bba9c98c03dba43dc8b8ef12cacb4c719bc510e8fe927c0eaea1cfb0f1f47fc94cbed3820c23797128eaca0a123dd17eb62eafd4c1adf5be921724

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
31ea420cf590a09f3639ed320d8de2fc

SHA1
319f73ee5cc10659d861c40fabb74d9b6aca805d

SHA256
7bedfd941d0a8d44fed08f9d2b9c8c5fcf1964815f15f5b6678d20450186c775

SHA512
6d4ab4e287bba9c98c03dba43dc8b8ef12cacb4c719bc510e8fe927c0eaea1cfb0f1f47fc94cbed3820c23797128eaca0a123dd17eb62eafd4c1adf5be921724

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
memory/1180-133-0x0000000000000000-mapping.dmp

Download
memory/1332-130-0x0000000000000000-mapping.dmp

Download
memory/1332-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1332-136-0x0000000000400000-0x000000000041AE7E-memory.dmp

Filesize
107KB

Download
memory/1384-140-0x0000000000000000-mapping.dmp

Download
memory/2364-137-0x0000000000000000-mapping.dmp

Download