Overview

overview

10

Static

static

Documentos...at.exe

windows7_x64

10

Documentos...at.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documentos de pago.PDF.bat.exe

  • Size

    785KB

  • MD5

    3f09920e886cc97941e5f583df1f748e

  • SHA1

    ce884a421722073936438dfea755547674c6b003

  • SHA256

    a34d721f2e55cfaf7913b4a5805cc1be6becb6f4bb61875b8d7f7d60c23b3e29

  • SHA512

    e9d151593b3f4d32c60fe7308a01d7c26756d10ecd805d7aa6cd64ef623a7864e0254dcfeea22a0b55ead122c1b36b9a6315185362142b53e9ccd68efef8fab1

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/qElaNgWyezEFV

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe"
      2⤵
        PID:2336
      • C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe
        "C:\Users\Admin\AppData\Local\Temp\Documentos de pago.PDF.bat.exe"
        2⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:2212

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/732-2-0x00000000730E0000-0x00000000737CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/732-3-0x0000000000790000-0x0000000000791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-5-0x0000000007580000-0x0000000007581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-6-0x0000000007B20000-0x0000000007B21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-7-0x00000000076C0000-0x00000000076C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-8-0x0000000007540000-0x0000000007541000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-9-0x0000000007820000-0x0000000007821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-10-0x0000000004B40000-0x0000000004B52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/732-11-0x00000000054C0000-0x0000000005519000-memory.dmp
      Filesize

      356KB

      Download
    • memory/2212-12-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2212-13-0x00000000004139DE-mapping.dmp
      Download
    • memory/2212-14-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download