lokibot | 8db93f119551dbb9e49d9894abb0c83e9043b18db2373ff590f90f768aa98587

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Size

548KB
MD5

a03187c0c2cd810f605137b447475202
SHA1

c570719523f00fd9f5f868f012c6b859e20549e9
SHA256

8db93f119551dbb9e49d9894abb0c83e9043b18db2373ff590f90f768aa98587
SHA512

36768cb785ac34be7874b30bc4493f32caa0f8f6b6c7fadab5d798c23792b49026cfb66d6d1bea42dd49da0d7f50559ecd6d1539b23a52a30d82b84537c18c62

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=21242689357140

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	pid	process	target process
PID 880 set thread context of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

pid process

860 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description pid process

Token: SeDebugPrivilege 860 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

pid	process
860	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	pid	process
Token: SeDebugPrivilege	860	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	pid	process	target process
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
PID 880 wrote to memory of 860	880	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

outlook_office_path 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

outlook_win_path 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SecuriteInfo.com.W32.AIDetectNet.01.5786.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-75-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-64-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-72-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/860-70-0x00000000004139DE-mapping.dmp

Download
memory/860-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/880-59-0x0000000005B40000-0x0000000005BA2000-memory.dmp

Filesize
392KB

Download
memory/880-58-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/880-54-0x00000000012D0000-0x000000000135E000-memory.dmp

Filesize
568KB

Download
memory/880-56-0x0000000000CB0000-0x0000000000D20000-memory.dmp

Filesize
448KB

Download
memory/880-60-0x0000000000E30000-0x0000000000E50000-memory.dmp

Filesize
128KB

Download
memory/880-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/880-57-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads