Overview

overview

10

Static

static

winlog.exe

windows7_x64

10

winlog.exe

windows10_x64

10

Analysis

  • max time kernel
    37s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    27-02-2021 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winlog.exe

  • Size

    663KB

  • MD5

    360437b30bd9db4fa30bb9399d712948

  • SHA1

    960a2bcc3e85637ba561a72c6edc31078f184564

  • SHA256

    41c7c097e85a0c9ee40d1d92cd47bfff9fdb5752532a21e15c142fa3591eb7b3

  • SHA512

    e7b95462a2e4e72805a2597655443d6a0fca905ec66d8a1214b5fddf469d4d085f877bf32683f70f4485a64d63e8bcc1fdd21a6a9e4c5095aacdbaf0e2762bcc

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://or-logistlcs.com/zoro/zoro2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winlog.exe
    "C:\Users\Admin\AppData\Local\Temp\winlog.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\winlog.exe
      "{path}"
      2⤵
        PID:740

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/740-8-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/740-9-0x00000000004139DE-mapping.dmp
      Download
    • memory/740-10-0x0000000076641000-0x0000000076643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/740-12-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1896-11-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/2008-2-0x0000000074BA0000-0x000000007528E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2008-3-0x00000000008C0000-0x00000000008C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2008-5-0x0000000005020000-0x0000000005021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2008-6-0x00000000004F0000-0x00000000004FB000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2008-7-0x0000000005240000-0x00000000052AF000-memory.dmp
      Filesize

      444KB

      Download