Overview

overview

10

Static

static

SecuriteIn...54.exe

windows7_x64

10

SecuriteIn...54.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.ArtemisD14FD9949720.2854.exe

  • Size

    749KB

  • MD5

    d14fd99497206406f7f4f50957160606

  • SHA1

    a96df01d4da745560e3d59f8a5260b53f812ca46

  • SHA256

    ac783649783642e7162d11a2ddf869e7505cd783454a1f05c69edbbda7fc8ce3

  • SHA512

    e4ec3e286437a8be6aa935cbeee30673fe02e27cf0f4b97e7c1867e1f3a4c32bef8293a9f65efdd727451af4681a20f2ec3743cff2922a3b9cfb3bb8561181e8

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://blueriiver-eu.com/chief/offor/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe"
      2⤵
        PID:1408
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe"
        2⤵
          PID:1468
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe"
          2⤵
            PID:1316
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisD14FD9949720.2854.exe"
            2⤵
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            PID:1324

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1052-2-0x0000000074570000-0x0000000074C5E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1052-3-0x0000000000240000-0x0000000000241000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1052-5-0x0000000001DF0000-0x0000000001E02000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1052-6-0x0000000004E20000-0x0000000004E78000-memory.dmp
          Filesize

          352KB

          Download
        • memory/1324-7-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1324-8-0x00000000004139DE-mapping.dmp
          Download
        • memory/1324-9-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1472-10-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmp
          Filesize

          2.5MB

          Download