lokibot | 2d1e4b59e9abe3b38c9a648d8d9d6097e6c54593c94f43e7d8005143fc422a81

General

Target

Urgent New Order.exe
Size

533KB
MD5

8f738dfc3590a522f9ebef97fb7b0a06
SHA1

157c846283f38ca9322c2d2cdb64f2173066c71d
SHA256

2d1e4b59e9abe3b38c9a648d8d9d6097e6c54593c94f43e7d8005143fc422a81
SHA512

6466394a9ca3c333e02f3a29d951c30a3b8e7368574f67e39d4da711455765a5f229c6e222d84cf4cc6a2479450b9235f42da8b94e8f170fc45303c49ab2e4af

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gh24/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Urgent New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Urgent New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Urgent New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Urgent New Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Urgent New Order.exe

description pid process target process

PID 3880 set thread context of 4988 3880 Urgent New Order.exe Urgent New Order.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Urgent New Order.exe

pid process

3880 Urgent New Order.exe
3880 Urgent New Order.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Urgent New Order.exe

pid process

4988 Urgent New Order.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Urgent New Order.exeUrgent New Order.exe

description pid process

Token: SeDebugPrivilege 3880 Urgent New Order.exe
Token: SeDebugPrivilege 4988 Urgent New Order.exe

description	pid	process	target process
PID 3880 set thread context of 4988	3880	Urgent New Order.exe	Urgent New Order.exe

pid	process
3880	Urgent New Order.exe
3880	Urgent New Order.exe

pid	process
4988	Urgent New Order.exe

description	pid	process
Token: SeDebugPrivilege	3880	Urgent New Order.exe
Token: SeDebugPrivilege	4988	Urgent New Order.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Urgent New Order.exe

description	pid	process	target process
PID 3880 wrote to memory of 5016	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 5016	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 5016	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe
PID 3880 wrote to memory of 4988	3880	Urgent New Order.exe	Urgent New Order.exe

outlook_office_path 1 IoCs

Processes:

Urgent New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Urgent New Order.exe

outlook_win_path 1 IoCs

Processes:

Urgent New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Urgent New Order.exe

C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe"
2⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe
"C:\Users\Admin\AppData\Local\Temp\Urgent New Order.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3880-130-0x00000000007B0000-0x000000000083A000-memory.dmp

Filesize
552KB

Download
memory/3880-131-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/3880-132-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3880-133-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/3880-134-0x0000000009090000-0x000000000912C000-memory.dmp

Filesize
624KB

Download
memory/3880-135-0x00000000091D0000-0x0000000009236000-memory.dmp

Filesize
408KB

Download
memory/4988-137-0x0000000000000000-mapping.dmp

Download
memory/4988-138-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4988-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4988-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4988-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5016-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads