lokibot | 3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778

General

Target

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
Size

410KB
MD5

43bf9ca3e0496c7b8a81ab34397903ec
SHA1

2240e97b4ac3ddafc292bc04e46893cd5433e9a5
SHA256

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778
SHA512

fd75f7ed02edf9539e7b6c17c67a3e7bb5506aa6a463cb2fb761df9133c7f8c58802fef2e256d1dd57b275582a7a3f8a64a8ac5d1284536f711c1754e527d8e5

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://majesticraft.com/ema/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

description	pid	process	target process
PID 1808 set thread context of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

pid	process
1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
Token: SeDebugPrivilege	1268	vbc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.execsc.exe

description	pid	process	target process
PID 1808 wrote to memory of 1332	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 1808 wrote to memory of 1332	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 1808 wrote to memory of 1332	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 1808 wrote to memory of 1332	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 1332 wrote to memory of 832	1332	csc.exe	cvtres.exe
PID 1332 wrote to memory of 832	1332	csc.exe	cvtres.exe
PID 1332 wrote to memory of 832	1332	csc.exe	cvtres.exe
PID 1332 wrote to memory of 832	1332	csc.exe	cvtres.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 1808 wrote to memory of 1268	1808	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
"C:\Users\Admin\AppData\Local\Temp\3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\duae5szy\duae5szy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES771.tmp" "c:\Users\Admin\AppData\Local\Temp\duae5szy\CSC763AD83256374E74AEACAA9932294FA8.TMP"
3⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES771.tmp

Filesize
1KB

MD5
585d7e63fc9aa1f21b3778cab2a8a49c

SHA1
e666a8e731c1f158543e9f906738cc7690996bf3

SHA256
6d4c61272697c650f784196517340e5befbe6d270268a3dfcedabbea146a9146

SHA512
630c31774b46eb99fe9d80cca8360dd639243b3c7fc3337aaf2d66921f0277dc704338c37d707e8f879779ed814373a10cfc86e7bb650f61d23d65784b50fa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\duae5szy\duae5szy.dll

Filesize
19KB

MD5
342cb58fdf1d6d4004a3e493c6242a2c

SHA1
c22285183e0259353e43661e903f734b2a23c17f

SHA256
a32634123c8a6c2e7d06049289259b43efe1f76487490969f427cd0aa3a80488

SHA512
373a2dc51736f48a673a5615bd486b20bce24670f263f62bc94425d339992fb9e29f0f6b17ce376807a130cbca547f55b5b198763edcc7fb63b97367ee71d173

Download Submit
C:\Users\Admin\AppData\Local\Temp\duae5szy\duae5szy.pdb

Filesize
63KB

MD5
30cf31617393bdf731e65d22e6c1331d

SHA1
3041b2ce17120716ee9368e078fa3f23c28747f1

SHA256
60cced364ee7d2305cd60de96934de82d05259dff4836d906b75276ddf4e9362

SHA512
ec9402edbfd8563142eb0b66c6f3d0b3fafb2cb5d7f0f2b7258cd9ce4b673f57a17a4c1add08e1967e821fb32aa2c800af72fe4a9075335b96312ab543e5adbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duae5szy\CSC763AD83256374E74AEACAA9932294FA8.TMP

Filesize
1KB

MD5
7836f408d605e019a9177dd5ce20f0f9

SHA1
386cae2eeaf71ea3354636bf16980fb60b0f0f06

SHA256
8cc773be10748b9cfdc4b224f304835a78c2cae2c3944b0f3e3c4547a4806954

SHA512
2c9824260fc86c624513675cbadd0ac9a4ba3ab63cb38f8470a4d76e930ce3fe91bf39caa8d673ee2c30386fe8eff3abf0e3eb173d7dba0db3d82c3b2c26efaa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duae5szy\duae5szy.0.cs

Filesize
44KB

MD5
f4a96db4f5e48879638e09e60f70b341

SHA1
5bad1df29e2f32594db5e05721a2d4b1a5cb0410

SHA256
08f744caff7139def1ccf69c80186f5d96c3422b1386e302fb56dde26a40cae9

SHA512
101ad2ffb371c661a7984955a4f8595ec8fa9c78fa166bf92284e38e1f028614aeef2594f78a9c27fe1e767105bfe231e2fcb8b63e6d2167b24245e6f9525d7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\duae5szy\duae5szy.cmdline

Filesize
312B

MD5
0ae0ed4af4557975d69c6d1d8df30b9b

SHA1
f445073080c309cf33596a651806edb8aed2355d

SHA256
248baadca88181360e7008dad70e2448b0b5f477d6659bf2e9d0886178ce876f

SHA512
9d18bcbfa340790c696200af0475c4b468426f89df93e5c84e961ee4e873e617f32ea0761d18db0d2fcbc026310eecc82bfc6b2961cbb5a1d12e6e5c37a342e0

Download Submit
memory/832-58-0x0000000000000000-mapping.dmp

Download
memory/1268-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-77-0x00000000004139DE-mapping.dmp

Download
memory/1268-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-81-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-79-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-76-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-71-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1332-55-0x0000000000000000-mapping.dmp

Download
memory/1808-67-0x0000000000510000-0x00000000005B2000-memory.dmp

Filesize
648KB

Download
memory/1808-54-0x0000000001150000-0x00000000011BC000-memory.dmp

Filesize
432KB

Download
memory/1808-66-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1808-65-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1808-64-0x0000000000AE0000-0x0000000000B0A000-memory.dmp

Filesize
168KB

Download
memory/1808-63-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads