lokibot | 52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca

General

Target

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
Size

1.3MB
MD5

379fcce7aa44df74a1510fe7cd82a558
SHA1

3282d76ba3b1b9e6a95e5b8a0fa1a7e77b66cd75
SHA256

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca
SHA512

52aef4aa657ecd5099fd86babb97a4a2a72eecd5bcfda6140a839c1d9683097ca1d51e4940825b17498af4e675a7e3b623236017c95829b70e4fd1e81d099e2b

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://jalango.co.ke/js/loki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes

activex_autorun
true
activex_key
{4QIS0Y00-K788-3BRR-G510-L26XY452725R}
copy_executable
true
delete_original
false
host_id
Bushbush
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
RjCRIvgp
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Avast
use_mutex
true

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Executes dropped EXE 3 IoCs

Processes:

build.exeHost.exeHost.exe

pid process

4556 build.exe
4364 Host.exe
3016 Host.exe

pid	process
4556	build.exe
4364	Host.exe
3016	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4QIS0Y00-K788-3BRR-G510-L26XY452725R}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4QIS0Y00-K788-3BRR-G510-L26XY452725R}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

Drops startup file 2 IoCs

Processes:

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avast = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

description	pid	process	target process
PID 4608 set thread context of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 4556 build.exe

description	pid	process
Token: SeDebugPrivilege	4556	build.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exeHost.exe

description	pid	process	target process
PID 4608 wrote to memory of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
PID 4608 wrote to memory of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
PID 4608 wrote to memory of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
PID 4608 wrote to memory of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
PID 4608 wrote to memory of 1604	4608	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
PID 1604 wrote to memory of 4556	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	build.exe
PID 1604 wrote to memory of 4556	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	build.exe
PID 1604 wrote to memory of 4556	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	build.exe
PID 1604 wrote to memory of 4364	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	Host.exe
PID 1604 wrote to memory of 4364	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	Host.exe
PID 1604 wrote to memory of 4364	1604	52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe	Host.exe
PID 4364 wrote to memory of 3016	4364	Host.exe	Host.exe
PID 4364 wrote to memory of 3016	4364	Host.exe	Host.exe
PID 4364 wrote to memory of 3016	4364	Host.exe	Host.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe

C:\Users\Admin\AppData\Local\Temp\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
"C:\Users\Admin\AppData\Local\Temp\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
"C:\Users\Admin\AppData\Local\Temp\52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4556

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
31ea420cf590a09f3639ed320d8de2fc

SHA1
319f73ee5cc10659d861c40fabb74d9b6aca805d

SHA256
7bedfd941d0a8d44fed08f9d2b9c8c5fcf1964815f15f5b6678d20450186c775

SHA512
6d4ab4e287bba9c98c03dba43dc8b8ef12cacb4c719bc510e8fe927c0eaea1cfb0f1f47fc94cbed3820c23797128eaca0a123dd17eb62eafd4c1adf5be921724

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
31ea420cf590a09f3639ed320d8de2fc

SHA1
319f73ee5cc10659d861c40fabb74d9b6aca805d

SHA256
7bedfd941d0a8d44fed08f9d2b9c8c5fcf1964815f15f5b6678d20450186c775

SHA512
6d4ab4e287bba9c98c03dba43dc8b8ef12cacb4c719bc510e8fe927c0eaea1cfb0f1f47fc94cbed3820c23797128eaca0a123dd17eb62eafd4c1adf5be921724

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
530bb6565f24112710a4a51adb1fa1d7

SHA1
ad9ad907407f95b7c08e578fd3b8b64288caaf8c

SHA256
063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573

SHA512
a86e818c7bf383c2a73ce8f3c7e629efb35d92b42755f888f579c7505d8781b6cde7acd497fe35758a28950f5093495028984bba051a6ad44950f22ad3f2dd14

Download Submit
memory/1604-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1604-133-0x0000000000400000-0x000000000041AE7E-memory.dmp

Filesize
107KB

Download
memory/1604-130-0x0000000000000000-mapping.dmp

Download
memory/1604-140-0x0000000000400000-0x000000000041AE7E-memory.dmp

Filesize
107KB

Download
memory/3016-141-0x0000000000000000-mapping.dmp

Download
memory/4364-137-0x0000000000000000-mapping.dmp

Download
memory/4556-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads