Overview

overview

10

Static

static

Detalles d...df.exe

windows7_x64

10

Detalles d...df.exe

windows10_x64

10

Analysis

  • max time kernel
    100s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Detalles de pago PROVV0003654043.pdf.exe

  • Size

    393KB

  • MD5

    4d85e6c70760761a009957e9db240df0

  • SHA1

    729128422d7b4c6939f13a4f9f19b72976222a01

  • SHA256

    32894ea1274b19405c61b1ef24059a7e6b2854984a4c5ab6f349899ba64696ff

  • SHA512

    acac07d01c08eec2e9d65642acc2ff7b9f850f30d753f16c9081826834e7f8282e9ef1109d1129e8f9cc6c176a430daf8fafced964825820027d958010ecf6eb

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://ccjjlogsx.com/uu/me/ii.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin
    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
    suricata
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe
      "{path}"
      2⤵
        PID:3472
      • C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe
        "{path}"
        2⤵
          PID:1312
        • C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe
          "{path}"
          2⤵
            PID:3588
          • C:\Users\Admin\AppData\Local\Temp\Detalles de pago PROVV0003654043.pdf.exe
            "{path}"
            2⤵
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            PID:1304

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1304-124-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1304-125-0x00000000004139DE-mapping.dmp
          Download
        • memory/1304-126-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/2896-114-0x0000000000B50000-0x0000000000B51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2896-116-0x0000000005960000-0x0000000005961000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2896-117-0x0000000005500000-0x0000000005501000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2896-118-0x00000000053F0000-0x00000000053F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2896-119-0x0000000005460000-0x000000000595E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2896-120-0x00000000056A0000-0x00000000056A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2896-121-0x0000000008C30000-0x0000000008C31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2896-122-0x0000000006EC0000-0x0000000006F2C000-memory.dmp
          Filesize

          432KB

          Download
        • memory/2896-123-0x0000000006E60000-0x0000000006E7F000-memory.dmp
          Filesize

          124KB

          Download