lokibot | 386e207d9e5d4cf9c0b19777baf11453dc49d344a40638f4e0258649610fe095

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 16:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQQUOTE.exe
Size

1.0MB
MD5

43aa439728e895604786378cc1cc9577
SHA1

c483d8f082b5061b97696a2e38dc14189d3ad2e2
SHA256

386e207d9e5d4cf9c0b19777baf11453dc49d344a40638f4e0258649610fe095
SHA512

72a41af5dd1f427fa74b8ef8016249c053984f15b12af2a5ce922bc963f39a19bad6586d65008977172edf0359d632962ccc50ea1c3d9a441f6e12e0c628a63d
SSDEEP

12288:uoGT3z4k+MdFrxnRBfKW8tO40OwYuyhVWg:uNzk3MdFtRBf94og

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://andrebadi.top/ugopounds/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ngen.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	ngen.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ngen.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 4864	3184	RFQQUOTE.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	ngen.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2404	3184	RFQQUOTE.exe	81
PID 3184 wrote to memory of 2404	3184	RFQQUOTE.exe	81
PID 3184 wrote to memory of 2404	3184	RFQQUOTE.exe	81
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 3956	3184	RFQQUOTE.exe	82
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4256	3184	RFQQUOTE.exe	83
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 4864	3184	RFQQUOTE.exe	84
PID 3184 wrote to memory of 1728	3184	RFQQUOTE.exe	85
PID 3184 wrote to memory of 1728	3184	RFQQUOTE.exe	85
PID 3184 wrote to memory of 1728	3184	RFQQUOTE.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	ngen.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ngen.exe

C:\Users\Admin\AppData\Local\Temp\RFQQUOTE.exe
"C:\Users\Admin\AppData\Local\Temp\RFQQUOTE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2404
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3956
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1728

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.219.191.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.219.191.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

andrebadi.top

ngen.exe

Remote address:

8.8.8.8:53

Request

andrebadi.top

IN A

Response

andrebadi.top

IN A

172.67.190.82

andrebadi.top

IN A

104.21.76.60
POST

http://andrebadi.top/ugopounds/five/fre.php

ngen.exe

Remote address:

172.67.190.82:80

Request

POST /ugopounds/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: andrebadi.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BE68BACC
Content-Length: 358
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Thu, 27 Jun 2024 16:41:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B2Uk6B3zMZ8HLc6u%2Fwx2l0R5wXJCSMy87qbis%2FiIuUXvWhhcAFFqV920RNAn3XsH9GEwBfDdy%2BvAOPXBhD6wl2WkKcKlEGV%2BWb8ljnai1vc5btio0jRB45IrPNWfxlDF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6e22539d96427-LHR
alt-svc: h3=":443"; ma=86400
POST

http://andrebadi.top/ugopounds/five/fre.php

ngen.exe

Remote address:

172.67.190.82:80

Request

POST /ugopounds/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: andrebadi.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BE68BACC
Content-Length: 180
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Thu, 27 Jun 2024 16:41:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uqtsYOhCmjV4Nn1fLtPPPv7JDpglzhwQ%2BwcaV2tauhG0uvCMouLUkycKHb6x%2F%2Fz%2F78MAbBvQgfl5KIhBeuokNFo0r96GuRKHgYrUT%2BHesC3zeFdeyctUMf5wKGLFiydL"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6e2270e6f6550-LHR
alt-svc: h3=":443"; ma=86400
DNS

82.190.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

82.190.67.172.in-addr.arpa

IN PTR

Response
POST

http://andrebadi.top/ugopounds/five/fre.php

ngen.exe

Remote address:

172.67.190.82:80

Request

POST /ugopounds/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: andrebadi.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BE68BACC
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Thu, 27 Jun 2024 16:41:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3kdcdVbP%2BMjriwTdVzcV2BsjidEfHt6lYy6qsZC%2FrPqBAJkHO7O3P%2F1P7alsfHCxmTfv5ZcRB%2FBA0pApfmx4ETUU%2FDN7OxegSjM24Wlz%2FujPXolO9oVpoe3EoKrvKZa%2B"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6e2282e4652ca-LHR
alt-svc: h3=":443"; ma=86400
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
POST

http://andrebadi.top/ugopounds/five/fre.php

ngen.exe

Remote address:

172.67.190.82:80

Request

POST /ugopounds/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: andrebadi.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BE68BACC
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Thu, 27 Jun 2024 16:42:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fa%2BEqE8ahfc%2B2Yi6%2BjENLgN3RvMEhNA8LuhWmXLds%2BGnFp0T%2FZSL9K8NC9lJHv7jugyQtVtQoQz1z6h%2F0gt25i9wZVTyrDFkvrKeGT6fJ8XTRJ%2FDQ4x5S20X%2Fe1f2aQk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6e3a04ea89479-LHR
alt-svc: h3=":443"; ma=86400
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
POST

http://andrebadi.top/ugopounds/five/fre.php

ngen.exe

Remote address:

172.67.190.82:80

Request

POST /ugopounds/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: andrebadi.top
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: BE68BACC
Content-Length: 153
Connection: close

Response

HTTP/1.1 404 Not Found

Date: Thu, 27 Jun 2024 16:43:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.16
Status: 404 Not Found
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWqaAG5NxLOp64VBROGgu7rttK3chwqj1KKXjcjvppX4yM%2Furh4%2BANJObNQMhd0NGJwAP9VZfA0qQyuKRLxtFId9wXgtbiSfDhKhpDRZ5mAF2Y1%2FG36AKa1xPBovtGs6"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89a6e5184ce371e7-LHR
alt-svc: h3=":443"; ma=86400

172.67.190.82:80

http://andrebadi.top/ugopounds/five/fre.php

http

ngen.exe

876 B
867 B
6
6

HTTP Request

POST http://andrebadi.top/ugopounds/five/fre.php

HTTP Response

404
172.67.190.82:80

http://andrebadi.top/ugopounds/five/fre.php

http

ngen.exe

744 B
867 B
7
6

HTTP Request

POST http://andrebadi.top/ugopounds/five/fre.php

HTTP Response

404
172.67.190.82:80

http://andrebadi.top/ugopounds/five/fre.php

http

ngen.exe

671 B
879 B
6
6

HTTP Request

POST http://andrebadi.top/ugopounds/five/fre.php

HTTP Response

404
172.67.190.82:80

http://andrebadi.top/ugopounds/five/fre.php

http

ngen.exe

671 B
881 B
6
6

HTTP Request

POST http://andrebadi.top/ugopounds/five/fre.php

HTTP Response

404
172.67.190.82:80

http://andrebadi.top/ugopounds/five/fre.php

http

ngen.exe

671 B
871 B
6
6

HTTP Request

POST http://andrebadi.top/ugopounds/five/fre.php

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.219.191.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

104.219.191.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

andrebadi.top

dns

ngen.exe

59 B
91 B
1
1

DNS Request

andrebadi.top

DNS Response

172.67.190.82

104.21.76.60
8.8.8.8:53

82.190.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

82.190.67.172.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/3184-0-0x0000020E42980000-0x0000020E42988000-memory.dmp

Filesize
32KB

Download
memory/3184-1-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp

Filesize
8KB

Download
memory/3184-2-0x0000020E42D60000-0x0000020E42DD2000-memory.dmp

Filesize
456KB

Download
memory/3184-3-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

Filesize
10.8MB

Download
memory/3184-8-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

Filesize
10.8MB

Download
memory/4864-4-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4864-6-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4864-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4864-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4864-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.