Overview

overview

10

Static

static

301747D499...DA.exe

windows7_x64

10

301747D499...DA.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe

  • Size

    148KB

  • MD5

    ca44a3a8334d049e806e9e02f2c764f8

  • SHA1

    4484b6795336e063747d7157cfddd15c7c218ca6

  • SHA256

    301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d

  • SHA512

    5404d0f741e65937bdd0c0ec077fda9a3681b7bc6e12a579e8129e1ccc10aa53d0a47bba0f0bd7298cffc10efb19f4f4eec233e3cf2d0750d5545b9ab98cc73a

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://103.194.170.48/update/GISVOUH/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
    "C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxwhu5za\dxwhu5za.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES893B.tmp" "c:\Users\Admin\AppData\Local\Temp\dxwhu5za\CSC94B597378B96488FA39E28B71DC74AEF.TMP"
        3⤵
          PID:2688
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3292

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES893B.tmp
      MD5

      11463bd44a82107b1e9bcf82200f113c

      SHA1

      5cff3137300a98eaf5e8517ffd3e31d77996ed64

      SHA256

      8c1be2716f0b1906049d35505d9123fa07f18880bb2f74451c6fd68679682055

      SHA512

      43b918989919b2c8fa2a403d61d6dab06cdffae7ced8423d29f8fb63eee36bcc7d282cd81867c46d3854bcb6bfdd2f628f3efdee590a505877672d0138f86406

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dxwhu5za\dxwhu5za.dll
      MD5

      e1eb52b147bd65910014eea1118991eb

      SHA1

      22c3c1b26f58cb5e31b36c2d3b9472674d302d76

      SHA256

      400895918fba6536c2e6b730f3acc944230ce1e7bdc9375ac08d66d3631f5827

      SHA512

      df2e589c0041a77ae9498aa01f9cbd1b0ab5e0a6eb19389acc44daf63c1bdbe9d0227a4184c53961298112fc91cdb56f24e718991eb538979c6e16167747ae22

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dxwhu5za\dxwhu5za.pdb
      MD5

      97c4506ecc12c843f875dc7be9c032dd

      SHA1

      c9e0c1288fe71cf72c97717fde2df49116ee9d73

      SHA256

      de68ef08ab7b0c12f43ff1637aec9d8ebf88e6b29e90b79cfd283a5522ce5ff9

      SHA512

      031f79f8357e9d5057f3a154f3ee95fb3fad946aed951e448a01fe72ccc54927da9cea51d775563ba923e2abd97351fea7a4c7738ca37afb4c1bb78ae5e9cd38

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\dxwhu5za\CSC94B597378B96488FA39E28B71DC74AEF.TMP
      MD5

      fae4759b04b6a6bb40192f39a454dddc

      SHA1

      e3f66d93c235468361635abff6990948737ca63e

      SHA256

      2f7e3bf11127c14d704887e666b62581f797e6b2ee6f201767d77fef03ddde51

      SHA512

      e90f3f782c7619b5ae3ad101ddafc99e853da1523f67b98dfa8787ffa28305238c57f6b648fff992cc4a6da1688804921a64ab65e5561a90474f2e0bfa0d5058

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\dxwhu5za\dxwhu5za.0.cs
      MD5

      63d773f21162ad8964b0b6195aa7b99c

      SHA1

      bd17198070deb92e57acd6d70771bea4de3cf0c3

      SHA256

      59d178be1e411f4a487ec04ed9c216f4c4f0701adfcd28c561492ac55c625fba

      SHA512

      ea57f2f22afb7c461859afa85a3702ef881d56adc9a54f6b8f9003d11c1adff6addaa4c521fd65283d33229c8676921db2919ea7c945c8920465a370081e060c

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\dxwhu5za\dxwhu5za.cmdline
      MD5

      63853d0706b5de6160a66900727c2ea6

      SHA1

      2319b42ce0176e9735f5811b1c572116caa85eea

      SHA256

      b14266287686202f23c76451ad74ce2aa0989a7d0d46148d9f6ba3d0c05ec3b0

      SHA512

      d9a04974553f69fa05f0c70a01264a92916bd3596147fb1a5415c6c9669a21d479f963eac61407e183c00688fddec85b682a46ef7eee36aaab17e6f0a768c92c

      Download Submit
    • memory/2160-127-0x0000000005460000-0x0000000005461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2160-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2160-118-0x0000000005450000-0x0000000005451000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2160-126-0x0000000005340000-0x0000000005342000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2160-128-0x00000000057E0000-0x0000000005804000-memory.dmp
      Filesize

      144KB

      Download
    • memory/2160-129-0x00000000053F0000-0x00000000053F6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2160-130-0x0000000005810000-0x000000000582A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2160-131-0x0000000005A30000-0x0000000005A31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2444-117-0x0000000000000000-mapping.dmp
      Download
    • memory/2688-121-0x0000000000000000-mapping.dmp
      Download
    • memory/3292-133-0x00000000004139DE-mapping.dmp
      Download
    • memory/3292-132-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/3292-134-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download