Overview

overview

10

Static

static

gunzipped.exe

windows7_x64

10

gunzipped.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-06-2021 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gunzipped.exe

  • Size

    518KB

  • MD5

    fc0199d22b504b1a551d5d0e1474fd4c

  • SHA1

    04607145bfc8fafb8413e969593a65e2ed86a485

  • SHA256

    0d9b5c176c7db0c067711afadce4630e5be2671d9f9431d5291e702d0b4cabad

  • SHA512

    f4ada22cdc2acdad31e17fe99eab1edfd76364c7d00197809a2418df2e7a193703dca1e42007e3daa8e94e9c90c5edd816aac92bab900f6a4d85b85a98cfb719

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.141.228.141/32.php/fn1ToJTMzu3Td

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

https://www.tepevizyon.com.tr/xx/Panel/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:340
      • C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
        "C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe"
        3⤵
        • Executes dropped EXE
        PID:1364
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Woffykqmovlauvwlgvo.vbs
    MD5

    835e2bddca034b38b072ec3e2d794582

    SHA1

    93477a5a8adb29ee5980583eff9b17987ce3997c

    SHA256

    51696625ca5c5c605eeb6dce4b2d65445bc678770146c29ac4749e8230e0ef43

    SHA512

    db8c5df91fef0bbf5e4cb63b4939f043484879d89660dd9c01b0ba5581d8e63503e08e446afa919d00dcd07317d92e76e680b0f3d1ea31620040d49b71e0b25d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
    MD5

    8b2ba32b908f900bbcd982a89dd45d70

    SHA1

    5d204803edcc82594802dc79bdd88d66bfe00250

    SHA256

    9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

    SHA512

    266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ykjxjveewsffioinnxx_t new.exe
    MD5

    8b2ba32b908f900bbcd982a89dd45d70

    SHA1

    5d204803edcc82594802dc79bdd88d66bfe00250

    SHA256

    9d47f8406d134f32cd76a770e025fa8dd2fb982e864d239f7aeecf2cb2b8ed65

    SHA512

    266988c1ed4922426abf57ad67d59f5455c19de32c2eedb8c0b58ee5b3a2a5d0be785b4bb20d99e185f9d49d84d3f03b299ab491f1e3f14e910fdde197749ed7

    Download Submit
  • memory/340-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1040-133-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1040-129-0x00000000004139DE-mapping.dmp
    Download
  • memory/1040-128-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1364-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4800-118-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4800-125-0x00000000077E0000-0x0000000007846000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4800-120-0x0000000007500000-0x0000000007555000-memory.dmp
    Filesize

    340KB

    Download
  • memory/4800-119-0x0000000002C60000-0x0000000002CF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4800-114-0x0000000000870000-0x0000000000871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4800-117-0x0000000005150000-0x0000000005151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4800-116-0x0000000005770000-0x0000000005771000-memory.dmp
    Filesize

    4KB

    Download