Overview

overview

10

Static

static

nueva coti...at.exe

windows7_x64

10

nueva coti...at.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 17:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nueva cotización.PDF.bat.exe

  • Size

    754KB

  • MD5

    facb14f65870c990c32679776b7d0ce2

  • SHA1

    d711e17f5e66919ceec6ba5c77e45325c81b1f74

  • SHA256

    dba85869242d60ad43228d1cbeef917f51096602f7db233e0972eb1091b4c355

  • SHA512

    28e510a8f805874eda9d3abf1ce65f1663f96545f5c3588a6113802a69e51ae31c39eb65f7631ab4923d760c25adc2b7dcae84af764403f4bd3a2c918bf4a635

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/ZtkNeeK6C94X6

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe"
      2⤵
        PID:556
      • C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe
        "C:\Users\Admin\AppData\Local\Temp\nueva cotización.PDF.bat.exe"
        2⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:1052

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1016-11-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1020-2-0x0000000073F40000-0x000000007462E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1020-3-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1020-5-0x00000000071B0000-0x00000000071B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1020-6-0x0000000000390000-0x0000000000393000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1020-7-0x00000000020D0000-0x0000000002111000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1052-8-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1052-9-0x00000000004139DE-mapping.dmp
      Download
    • memory/1052-10-0x00000000753E1000-0x00000000753E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1052-12-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download