Overview

overview

10

Static

static

202107270010.exe

windows7_x64

8

202107270010.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202107270010.exe

  • Size

    13KB

  • MD5

    3dff5c2b37da43ac40de3e0d5fa5b357

  • SHA1

    ad8051789c990e68f850ad5d58bea12e321bae18

  • SHA256

    730bfa776152c38152b5c9180061bf02b4b63a62f2f214cf022bce4bda218c8a

  • SHA512

    b866abd538be4fde091b9f4498c25d6096d55667bad638ad96fb305fd54b140072d27fd0cb7f574581f5de8f33b58cc41bcfc595a5474eb8be663f6b7505da14

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

https://vistusexpress.ao/wp-img/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin
    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
    suricata
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202107270010.exe
    "C:\Users\Admin\AppData\Local\Temp\202107270010.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Users\Admin\AppData\Local\Temp\202107270010.exe
      "C:\Users\Admin\AppData\Local\Temp\202107270010.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/512-123-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/512-124-0x00000000004139DE-mapping.dmp
    Download
  • memory/512-125-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/800-116-0x00000000053F0000-0x00000000053F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/800-117-0x0000000004F90000-0x0000000004F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/800-118-0x0000000004F40000-0x0000000004F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/800-119-0x0000000004EF0000-0x00000000053EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/800-120-0x0000000004EF0000-0x00000000053EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/800-121-0x00000000053E0000-0x00000000053EB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/800-122-0x0000000009170000-0x0000000009171000-memory.dmp
    Filesize

    4KB

    Download