Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 12:10
General
-
Target
89c43fa14d007c940ad21716efe6c4ce18b38dc94a8c457138422c93697751b6.exe
-
Size
379KB
-
MD5
037ada41d7814605e44f86831bda870c
-
SHA1
7b366232f409bb401cb0bfd39ba9de1cb48b6384
-
SHA256
89c43fa14d007c940ad21716efe6c4ce18b38dc94a8c457138422c93697751b6
-
SHA512
52e0e997d0ada0fce57c72a62d540cf70ad208fa6f5ead2eb2e47b7a7d81db96514462628b0234bf074468ed57cae847206c9cb626c3e0c976e2f57fce33d2bd
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://beckhoff-th.com/kon/kon2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\89c43fa14d007c940ad21716efe6c4ce18b38dc94a8c457138422c93697751b6.exe"C:\Users\Admin\AppData\Local\Temp\89c43fa14d007c940ad21716efe6c4ce18b38dc94a8c457138422c93697751b6.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\89c43fa14d007c940ad21716efe6c4ce18b38dc94a8c457138422c93697751b6.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
-
Filesize
648KB