lokibot | be934241304d999e605d938795046cde049e62fc8639557a61a60429ad737af9

General

Target

Informe bancario.pdf.exe
Size

438KB
MD5

21950205d5c3a8536711e5a90dd4c5f7
SHA1

59fd75874e921d19b9eed54817662b01f697bfac
SHA256

be934241304d999e605d938795046cde049e62fc8639557a61a60429ad737af9
SHA512

25de0b9cb1cba95d9f2604a72e6ee04a3c4e0ddc6037f5d87ccd631473b371a75f2bc4af31bca77ee56d26d0dba1364ed078f62df4e7d989db67084a94d22a97

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://kossa.xyz/esi/pp/play.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Informe bancario.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Informe bancario.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Informe bancario.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Informe bancario.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Informe bancario.pdf.exe

description pid process target process

PID 4208 set thread context of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Informe bancario.pdf.exe

pid process

4208 Informe bancario.pdf.exe
4208 Informe bancario.pdf.exe
4208 Informe bancario.pdf.exe
4208 Informe bancario.pdf.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Informe bancario.pdf.exe

pid process

3604 Informe bancario.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Informe bancario.pdf.exeInforme bancario.pdf.exe

description pid process

Token: SeDebugPrivilege 4208 Informe bancario.pdf.exe
Token: SeDebugPrivilege 3604 Informe bancario.pdf.exe

description	pid	process	target process
PID 4208 set thread context of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe

pid	process
4208	Informe bancario.pdf.exe
4208	Informe bancario.pdf.exe
4208	Informe bancario.pdf.exe
4208	Informe bancario.pdf.exe

pid	process
3604	Informe bancario.pdf.exe

description	pid	process
Token: SeDebugPrivilege	4208	Informe bancario.pdf.exe
Token: SeDebugPrivilege	3604	Informe bancario.pdf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Informe bancario.pdf.exe

description	pid	process	target process
PID 4208 wrote to memory of 780	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 780	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 780	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3320	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3320	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3320	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe
PID 4208 wrote to memory of 3604	4208	Informe bancario.pdf.exe	Informe bancario.pdf.exe

outlook_office_path 1 IoCs

Processes:

Informe bancario.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Informe bancario.pdf.exe

outlook_win_path 1 IoCs

Processes:

Informe bancario.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Informe bancario.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"
2⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"
2⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-135-0x0000000000000000-mapping.dmp

Download
memory/3320-136-0x0000000000000000-mapping.dmp

Download
memory/3604-137-0x0000000000000000-mapping.dmp

Download
memory/3604-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3604-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3604-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3604-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4208-130-0x00000000008F0000-0x0000000000964000-memory.dmp

Filesize
464KB

Download
memory/4208-131-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4208-132-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/4208-133-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/4208-134-0x00000000078D0000-0x000000000796C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads