Overview

overview

10

Static

static

URLScan

urlscan

http://198.46.132.15...

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://198.46.132.159/www/vbc.exe

  • Sample

    210727-j55rawjdj2

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://asiatrans.cf/BN1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://198.46.132.159/www/vbc.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3968
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    c3f544b1ccb3d30c4a4d641d42702778

    SHA1

    07c50009db6f83442fbc2764ba58dcbea6bcdc1a

    SHA256

    a7c6104402e1a41d0c9ae3b0a4f5943528314aa48edd72d576068ddc8389ab83

    SHA512

    3553c09e54c6420d81975612e0877d392fbd3ed9730e1a3a87d5e23ed3ca0c4770e8b60bd296baace7e6baec3c084756a687b1b3a959f06b5df41b664db22824

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    69885b0fc7bbd5b415bbb624e8041df1

    SHA1

    33e6f8553f0bed9c460651283102d224e1afdb80

    SHA256

    1af632f3fba61e9509d23aeba0a11aa2c5de6f1d7c99ff73503646a917756b4e

    SHA512

    62386325a9fcad635e4c13619ccabd1ccfc23308375830cfa208a9c99f20c1b594c0cdf841972297506e1b0c71a2a7aa5ffd5cea8c69dfed8b700f58a8d3ab3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe
    MD5

    07c01497b1a48bd763519c1b2561ab2d

    SHA1

    7cd72784c6a4e251068a43cba935ebc8a1531c84

    SHA256

    a60e97778614ab28c9e6acf9a2a76e8f42c09372af1a9e5e6802018e3cee2829

    SHA512

    09213f2033186a671dad819e50d5740dc0b953f20fb2fddefc5798ce6bb5d1d40a3c8ed00b446104430541dd21f4bfdcee3e630215fba466f9cfe51fd9aea6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe
    MD5

    07c01497b1a48bd763519c1b2561ab2d

    SHA1

    7cd72784c6a4e251068a43cba935ebc8a1531c84

    SHA256

    a60e97778614ab28c9e6acf9a2a76e8f42c09372af1a9e5e6802018e3cee2829

    SHA512

    09213f2033186a671dad819e50d5740dc0b953f20fb2fddefc5798ce6bb5d1d40a3c8ed00b446104430541dd21f4bfdcee3e630215fba466f9cfe51fd9aea6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\vbc.exe.asoussd.partial
    MD5

    07c01497b1a48bd763519c1b2561ab2d

    SHA1

    7cd72784c6a4e251068a43cba935ebc8a1531c84

    SHA256

    a60e97778614ab28c9e6acf9a2a76e8f42c09372af1a9e5e6802018e3cee2829

    SHA512

    09213f2033186a671dad819e50d5740dc0b953f20fb2fddefc5798ce6bb5d1d40a3c8ed00b446104430541dd21f4bfdcee3e630215fba466f9cfe51fd9aea6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AVD23ILI.cookie
    MD5

    51f6e27dd7b55554c4beda94aa566369

    SHA1

    66e41255ec79dd6b1af295d3aaff2527ff1763c6

    SHA256

    c8cc4bb2021ab1b1abd434666993d27c3fc5ba5098e45ea2918ba8dbbf19b9c8

    SHA512

    cb0eabc31378a04e7a0a97959901d92a3b6ad1a0e621bc1e56eb5b5dba9263e978147d6c5812f95cba8bc1a5e7e8f8174a703fdd8c15bbcf5009f7776736f825

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\W04VRTTF.cookie
    MD5

    7100a253ec0d9e3f136bd4b23b94c0c0

    SHA1

    7486659eaf2401f308617bcd2ab7d8b95727c3f6

    SHA256

    64bd54a448a1922801610c34c14aa300bcdbbc69e1fbf4170404e7cb08e08f58

    SHA512

    aa930ebfb5808de112ebf3ce91691afa9d9ed641412f98b135042a5e68cbe376d3d219ca7b9729bc5f8ed2c8c88ef60a77ac45e95f524f2d073a1bf87ec1ae8e

    Download Submit

  • memory/900-114-0x00007FFD62590000-0x00007FFD625FB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2196-119-0x00000000004139DE-mapping.dmp

    Download

  • memory/2196-122-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3544-117-0x0000000000000000-mapping.dmp

    Download

  • memory/3544-121-0x00000000001D0000-0x00000000001F3000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3968-115-0x0000000000000000-mapping.dmp

    Download