lokibot | 5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb

General

Target

5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe
Size

388KB
MD5

ef2c7bf69513cf30d5320579df36d8f3
SHA1

43443365284476e3b3744b37bcf835340c93fcfe
SHA256

5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb
SHA512

97e5bf3d030aef21ed0ab0107fa73ac6057aa48dcd14e30b53452dc95e0a365b5d9a859751412f3a074217c687f479147daa0ed23c056569b3388d9fc31d8bfd

Score

10^/10

lokibot netwire botnet collection persistence rat spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://meta-mim.in/wp-includes/js/pzy/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes

activex_autorun
true
activex_key
{84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
IRobWUAG
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Avast
use_mutex
true

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

build.exeHost.exeHost.exe

pid process

3676 build.exe
2356 Host.exe
2352 Host.exe

pid	process
3676	build.exe
2356	Host.exe
2352	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avast = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe

description	pid	process	target process
PID 2732 set thread context of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build.exe

description pid process

Token: SeDebugPrivilege 3676 build.exe

description	pid	process
Token: SeDebugPrivilege	3676	build.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exeRegAsm.exeHost.exe

description	pid	process	target process
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 2732 wrote to memory of 220	2732	5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe	RegAsm.exe
PID 220 wrote to memory of 3676	220	RegAsm.exe	build.exe
PID 220 wrote to memory of 3676	220	RegAsm.exe	build.exe
PID 220 wrote to memory of 3676	220	RegAsm.exe	build.exe
PID 220 wrote to memory of 2356	220	RegAsm.exe	Host.exe
PID 220 wrote to memory of 2356	220	RegAsm.exe	Host.exe
PID 220 wrote to memory of 2356	220	RegAsm.exe	Host.exe
PID 2356 wrote to memory of 2352	2356	Host.exe	Host.exe
PID 2356 wrote to memory of 2352	2356	Host.exe	Host.exe
PID 2356 wrote to memory of 2352	2356	Host.exe	Host.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe

C:\Users\Admin\AppData\Local\Temp\5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe
"C:\Users\Admin\AppData\Local\Temp\5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3676

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
881779ca64253b8849df903a23e6d652

SHA1
f564352d587ebea5527de51b7bd1269a47355973

SHA256
863a19222eecc560657e64d720a5b64a28e972a7ea5a7983c98343694ffe284d

SHA512
2aff2f984f561ce0d5ae60b529da7cfdec35e02e28d8e9de27346e8c078bccf42c0bd882d7f8e0c70a0aea3bc6592489ee1bb7cc7cd3d1206547610efce26a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
132KB

MD5
881779ca64253b8849df903a23e6d652

SHA1
f564352d587ebea5527de51b7bd1269a47355973

SHA256
863a19222eecc560657e64d720a5b64a28e972a7ea5a7983c98343694ffe284d

SHA512
2aff2f984f561ce0d5ae60b529da7cfdec35e02e28d8e9de27346e8c078bccf42c0bd882d7f8e0c70a0aea3bc6592489ee1bb7cc7cd3d1206547610efce26a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
2ef5474132e3e48b54855c7629fdce2e

SHA1
4687a86f96c2a48bbe92ca089ee0543ed4c1e5a4

SHA256
264be6eafb7620e695684bf9a27ce807a1a5d711117bc9b65e27bc80a39912d6

SHA512
dbace6f32bc717909bac540c204c2b9ed1d45266ba4a2feebb5c56fb192a07c9e48fa4df46e68986a1145ae969a8e8f3e2bf5427b9084261a40ef041335c0bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
104KB

MD5
2ef5474132e3e48b54855c7629fdce2e

SHA1
4687a86f96c2a48bbe92ca089ee0543ed4c1e5a4

SHA256
264be6eafb7620e695684bf9a27ce807a1a5d711117bc9b65e27bc80a39912d6

SHA512
dbace6f32bc717909bac540c204c2b9ed1d45266ba4a2feebb5c56fb192a07c9e48fa4df46e68986a1145ae969a8e8f3e2bf5427b9084261a40ef041335c0bba

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
881779ca64253b8849df903a23e6d652

SHA1
f564352d587ebea5527de51b7bd1269a47355973

SHA256
863a19222eecc560657e64d720a5b64a28e972a7ea5a7983c98343694ffe284d

SHA512
2aff2f984f561ce0d5ae60b529da7cfdec35e02e28d8e9de27346e8c078bccf42c0bd882d7f8e0c70a0aea3bc6592489ee1bb7cc7cd3d1206547610efce26a94

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
132KB

MD5
881779ca64253b8849df903a23e6d652

SHA1
f564352d587ebea5527de51b7bd1269a47355973

SHA256
863a19222eecc560657e64d720a5b64a28e972a7ea5a7983c98343694ffe284d

SHA512
2aff2f984f561ce0d5ae60b529da7cfdec35e02e28d8e9de27346e8c078bccf42c0bd882d7f8e0c70a0aea3bc6592489ee1bb7cc7cd3d1206547610efce26a94

Download Submit
memory/220-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/220-131-0x0000000000000000-mapping.dmp

Download
memory/220-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-142-0x0000000000000000-mapping.dmp

Download
memory/2356-139-0x0000000000000000-mapping.dmp

Download
memory/2732-135-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2732-130-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3676-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads