lokibot | 3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778

General

Target

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
Size

410KB
MD5

43bf9ca3e0496c7b8a81ab34397903ec
SHA1

2240e97b4ac3ddafc292bc04e46893cd5433e9a5
SHA256

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778
SHA512

fd75f7ed02edf9539e7b6c17c67a3e7bb5506aa6a463cb2fb761df9133c7f8c58802fef2e256d1dd57b275582a7a3f8a64a8ac5d1284536f711c1754e527d8e5

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://majesticraft.com/ema/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

description	pid	process	target process
PID 2116 set thread context of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

pid	process
2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
Token: SeDebugPrivilege	5116	vbc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.execsc.exe

description	pid	process	target process
PID 2116 wrote to memory of 2356	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 2116 wrote to memory of 2356	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 2116 wrote to memory of 2356	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	csc.exe
PID 2356 wrote to memory of 4364	2356	csc.exe	cvtres.exe
PID 2356 wrote to memory of 4364	2356	csc.exe	cvtres.exe
PID 2356 wrote to memory of 4364	2356	csc.exe	cvtres.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe
PID 2116 wrote to memory of 5116	2116	3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe
"C:\Users\Admin\AppData\Local\Temp\3e7b8a8ef41216834f9311a7ce4e2fbb1a48e18f691e21e229cb0199986c0778.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndyo2qfg\ndyo2qfg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD476.tmp" "c:\Users\Admin\AppData\Local\Temp\ndyo2qfg\CSC7166FE71A7D6478A855379C17321998.TMP"
3⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD476.tmp

Filesize
1KB

MD5
e4b9976d7fe28a67d31c15aa71ec07b0

SHA1
2e3169d6dba5ea1960a79a08a786c4057305dfd9

SHA256
f3f88997df6311ed9d2c535c7e40db909b005f32ca5125f329fbf8e26db6d8e7

SHA512
bb5dbc8e410234ed73b079b368d785397e6227c4f876249ba1b1f61186bd1de1c7144179391d24c5b8879e9dfa14f952a879251820339a09857a66c61925a8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndyo2qfg\ndyo2qfg.dll

Filesize
19KB

MD5
4847f5b9888232044e20251408a54862

SHA1
71e672ea6277d2c8b41bf76da043b1ad1b423f75

SHA256
ab2ad7d92f4560cd7b6b1075866f2b2ec81ea6fe8c289a70de53bfb5f92c44f2

SHA512
85423418e607b9916d7a8ddb25d21bc86a0003a835918b3e1570c69c212503f1785efb76659d4281d573162ba054417b6973cc0b40e6324e3254f4552d2ef00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndyo2qfg\ndyo2qfg.pdb

Filesize
63KB

MD5
f5175f6d3cc68d7a4d45cfec1c648027

SHA1
4ad07af6b021ab85a0021d38599b2e73fe3c6722

SHA256
d6ce421e2ce22bfcff07356a52eefcad7d2978a7c9691863f4fc511f7047c1d8

SHA512
eef7b40bd67aa0c345346b97ee47e3f12ed6f1525c9fe48c5653fa62d0006354ca77817f086d3478209550f51265c506171faee2a13f4b49980d6fe6822aeb61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndyo2qfg\CSC7166FE71A7D6478A855379C17321998.TMP

Filesize
1KB

MD5
058a110362fb5df94ccb82dc27d831a1

SHA1
411adf6817bc42a9f798f8437d3d31fd45bf9c3f

SHA256
00bdc0afbbb2087fdbfdb0b47446eb5fc94249dbeff635a2bfa12702474c2b37

SHA512
51c0127827813e48ea2b1801636fac70670f14874b8c176025618a072a86bc5536ba0a5d6518cc000b67d572584be2982bda0a8b6cf2c22692016967e9738d3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndyo2qfg\ndyo2qfg.0.cs

Filesize
44KB

MD5
f4a96db4f5e48879638e09e60f70b341

SHA1
5bad1df29e2f32594db5e05721a2d4b1a5cb0410

SHA256
08f744caff7139def1ccf69c80186f5d96c3422b1386e302fb56dde26a40cae9

SHA512
101ad2ffb371c661a7984955a4f8595ec8fa9c78fa166bf92284e38e1f028614aeef2594f78a9c27fe1e767105bfe231e2fcb8b63e6d2167b24245e6f9525d7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ndyo2qfg\ndyo2qfg.cmdline

Filesize
312B

MD5
47d20b7fea140e3874c990f2d162fd0a

SHA1
cd4f6dd77295faa86a92b66ff2397a60c751aa36

SHA256
a55dc7832b1e8b2e82bd05aef7818c80eb9fbdc80df0cf4b41c8f105d24d6439

SHA512
f1f7c1d3fb85f92149c75faeb4d3ba9dc4ab9c13eea1114d0b582cd3bcc885efea3fb1e446a9e4cc5bfdf7e2b6814393fcb2325dce871d897a462f8ab094ee98

Download Submit
memory/2116-140-0x0000000005A90000-0x0000000005B2C000-memory.dmp

Filesize
624KB

Download
memory/2116-130-0x00000000008C0000-0x000000000092C000-memory.dmp

Filesize
432KB

Download
memory/2116-139-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/2356-131-0x0000000000000000-mapping.dmp

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download
memory/5116-141-0x0000000000000000-mapping.dmp

Download
memory/5116-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5116-144-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5116-145-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5116-146-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads