lokibot | cbbd8d9cc6816d8ff28e9b498240b053b1fad0ee4abc9f65b5eda3b502a6c56a

General

Target

Richiesta di Offerta.exe
Size

564KB
MD5

b95724c316ffbab837bc0449557aca7a
SHA1

60bdf46e1a4949b30593737a263b31dd9b0cbcb5
SHA256

72bc6c78b71fb0a8b5a668c369e115df3eed9d8d74f19fc3eed683e19fc9c0ac
SHA512

6b08f3120807d35315db5833bb91cabfb91c495236665a041155db05be3bd185247f3b1123d4291bbbbd2f6b6ee9987c647c89cd8499ddb776c0aa4982c07890

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://matbin.com/wp-includes/colors/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Richiesta di Offerta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Richiesta di Offerta.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Richiesta di Offerta.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Richiesta di Offerta.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Richiesta di Offerta.exeRichiesta di Offerta.exe

description	pid	process	target process
PID 1608 set thread context of 1680	1608	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 set thread context of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe

Drops file in Windows directory 2 IoCs

Processes:

Richiesta di Offerta.exeRichiesta di Offerta.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	Richiesta di Offerta.exe
File opened for modification	C:\Windows\win.ini	Richiesta di Offerta.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

Richiesta di Offerta.exe

pid process

1184 Richiesta di Offerta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Richiesta di Offerta.exe

description pid process

Token: SeDebugPrivilege 1184 Richiesta di Offerta.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Richiesta di Offerta.exeRichiesta di Offerta.exe

pid process

1608 Richiesta di Offerta.exe
1680 Richiesta di Offerta.exe

pid	process
1184	Richiesta di Offerta.exe

description	pid	process
Token: SeDebugPrivilege	1184	Richiesta di Offerta.exe

pid	process
1608	Richiesta di Offerta.exe
1680	Richiesta di Offerta.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Richiesta di Offerta.exeRichiesta di Offerta.exe

description	pid	process	target process
PID 1608 wrote to memory of 1680	1608	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1608 wrote to memory of 1680	1608	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1608 wrote to memory of 1680	1608	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1608 wrote to memory of 1680	1608	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe
PID 1680 wrote to memory of 1184	1680	Richiesta di Offerta.exe	Richiesta di Offerta.exe

outlook_office_path 1 IoCs

Processes:

Richiesta di Offerta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Richiesta di Offerta.exe

outlook_win_path 1 IoCs

Processes:

Richiesta di Offerta.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Richiesta di Offerta.exe

C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe
"C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe
"C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe
"C:\Users\Admin\AppData\Local\Temp\Richiesta di Offerta.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1184-93-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1184-92-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1184-91-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1184-87-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1184-82-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1184-83-0x00000000004139DE-mapping.dmp

Download
memory/1608-66-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-79-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-67-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-68-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-69-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-70-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-71-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-72-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-73-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-74-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-75-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-76-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-78-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-56-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download
memory/1608-77-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-65-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-64-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-63-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-60-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1608-61-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1608-62-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-88-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1680-89-0x0000000077C60000-0x0000000077D36000-memory.dmp

Filesize
856KB

Download
memory/1680-86-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1680-84-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads