Analysis
-
max time kernel
133s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:41
General
-
Target
shipping_doc_pdf.exe
-
Size
265KB
-
MD5
ce4d5c2cc963dcf05eadafc79fd439fb
-
SHA1
d27589b72734fa916d47751bf8b13585ec117a11
-
SHA256
a378693f6aef81066fd09e58b29e5dc3190f3aea614b4518589a7a07291b14a2
-
SHA512
08171a620695b88dae3c9189c56df03d1b60752ce1c5d54d5a785c2c9f143dcf673eea6a2f3009cb49328bf2087b5b6d5d07b49c9738ccbe5db9cd668f5e77b9
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://mannaton.com/zoro/zoro3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping_doc_pdf.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2168-2-0x00000000004139DE-mapping.dmp
-
memory/2168-3-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB