Overview

overview

10

Static

static

1

bc342f9679...e5.exe

windows7_x64

10

bc342f9679...e5.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-04-2021 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc342f9679aeab723916338bce061ae5.exe

  • Size

    148KB

  • MD5

    bc342f9679aeab723916338bce061ae5

  • SHA1

    883248ca2481b280aa53047a1aa77009321fdcae

  • SHA256

    5d96ff0fc3e6847c93e28bce3c25bce90dd5401fc147def6ee33c5d90bfb3add

  • SHA512

    f3b8cd24788fca6fd6219ad98652d662668388c7f7b610d7535201e4ff8b1d211b3a0e75e607776b6f842b42d084e6782e485338aa775030ea0a078d43a50908

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://meirback.co.uk/Bn1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe
    "C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe
      "C:\Users\Admin\AppData\Local\Temp\bc342f9679aeab723916338bce061ae5.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsw2468.tmp\osja59nxskx1.dll
    MD5

    f00e33531658def3d2f28b99de31f5f2

    SHA1

    a61f29d141a49fcb1179f2a6def3e9b9e02980fd

    SHA256

    150c807a7cef7a769827af7dd7217fec1634114a4d5be70db911175f5840e5f5

    SHA512

    6f6601c8a8586cf9325b738584269f6db9177c49b35d08f67defa5754556bc039a393b43458967de44882e10adf135a47d38aa1d7d044418d98d0bb457b6ef08

    Download Submit
  • memory/2344-116-0x00000000004139DE-mapping.dmp
    Download
  • memory/2344-117-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/3016-115-0x00000000021D0000-0x00000000021D2000-memory.dmp
    Filesize

    8KB

    Download