Overview

overview

10

Static

static

1

comprobant...df.exe

windows7_x64

10

comprobant...df.exe

windows10_x64

10

Analysis

  • max time kernel
    14s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 13:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    comprobante de pago $ 60,250·pdf.exe

  • Size

    156KB

  • MD5

    f236c5ab7d649c9a0cf41cd630625c8e

  • SHA1

    de36fd44128dfe472c5608db4eb5877c968da4f9

  • SHA256

    97a715f8f119a00b01a264f4206bcb050fa0eb9a87d775d3c1acbeb89536da53

  • SHA512

    e3158a904d6a30226f5b1381b8b50a12e604aca4ca5d2f7c64c07e42c75aacae6083e24b188afd9be59ee8d246e02f41150d02ee1b5ee9d81d075d28f049c18e

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/S7zr5v1fXI3Rb

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\comprobante de pago $ 60,250·pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\comprobante de pago $ 60,250·pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Users\Admin\AppData\Local\Temp\comprobante de pago $ 60,250·pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\comprobante de pago $ 60,250·pdf.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\8qn92m27.dll
    MD5

    ea89387a70ba097cab373ed5a8c0857a

    SHA1

    befc85b5431790151fc8f3fe97f9c65c311cb424

    SHA256

    73b6f109ba51ec5f86ab75ed85622460a9867ebe9c6b4e8f283c963930e26ba4

    SHA512

    20cc71c1b3d0da31504683f88a4c1e7c577524d2555b30491cf483f852217770dd05c6979f833d1c092565293b56e661dc9bfde32d3d08238a73714c2c834015

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsd4EE3.tmp\System.dll
    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit
  • memory/3776-4-0x00000000004139DE-mapping.dmp
    Download
  • memory/3776-5-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download