Overview

overview

10

Static

static

1

dridex

windows10_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e.exe

  • Size

    249KB

  • MD5

    781c03c9fe5134551a626abceb0a8526

  • SHA1

    f61f0a5dddc5627c06ab1836364c917ca71476e6

  • SHA256

    907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e

  • SHA512

    38a5f2ea854a86681211e6d9cf9e3c86c9046b7062b03a9ee013ce560e98890085f34471fcfc49c45b2e4990d17765e000ffa7aad2b17f785e213b93aed36360

Score
10/10
lokibotspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://136.243.159.53/~element/page.php?id=488

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e.exe
    "C:\Users\Admin\AppData\Local\Temp\907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e.exe
      "C:\Users\Admin\AppData\Local\Temp\907b94712371352eba65c78fb8e4e99c68df75b2c0b9ce8a2a4ad91160df9f5e.exe"
      2⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd52B0.tmp\hvjllljvd.dll
    MD5

    3373c2e4c5768a2f755519b6f49c6d6d

    SHA1

    492a2c175561b7d560d5b949d65a4e1d8a136899

    SHA256

    72531b48ebcfa57d6ea3b3e458c0f10e8be5d04c0ef2064729901d30eedd5ec5

    SHA512

    5c50b5d14bc28cf1f94b1933757f3cd9e8e884ab64e02a07ae12464d50cbe013846f177abe8987b7c0dc9ff01d992e20d7962d7899c6708862e7b95a430e9e26

    Download Submit

  • memory/856-115-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/856-116-0x00000000004139DE-mapping.dmp

    Download

  • memory/856-117-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download