Overview

overview

10

Static

static

301747D499...DA.exe

windows7_x64

10

301747D499...DA.exe

windows10_x64

10

Analysis

  • max time kernel
    86s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe

  • Size

    148KB

  • MD5

    ca44a3a8334d049e806e9e02f2c764f8

  • SHA1

    4484b6795336e063747d7157cfddd15c7c218ca6

  • SHA256

    301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d

  • SHA512

    5404d0f741e65937bdd0c0ec077fda9a3681b7bc6e12a579e8129e1ccc10aa53d0a47bba0f0bd7298cffc10efb19f4f4eec233e3cf2d0750d5545b9ab98cc73a

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://103.194.170.48/update/GISVOUH/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe
    "C:\Users\Admin\AppData\Local\Temp\301747D4995ADCA377535E08BC8509235FD4D17B0FDDA.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ihdgdwrq\ihdgdwrq.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A85.tmp" "c:\Users\Admin\AppData\Local\Temp\ihdgdwrq\CSC701C7815B034A1B826475FDA9CB3E6F.TMP"
        3⤵
          PID:4092
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2592

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES7A85.tmp
      MD5

      f817a9d2dc9196701f090d68d128a05a

      SHA1

      c6c26ecd2f8ca505aa023cf27d0bc93798a58afa

      SHA256

      e253a4f61477f4b0da452c290e46756e37a46f51401d3a272c613f3ceabda919

      SHA512

      93790f5e11029890b41cda0f12b92f6859cbf1c0a407e8880084e816c8beac71780dad381aac6cf12d4099edbdc7021882c36af36f3f87d15564a2012ac54e0f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ihdgdwrq\ihdgdwrq.dll
      MD5

      0d1ebe29ae2daa58a8eda7981b715e10

      SHA1

      eb314305b6e236a6c0b5a1cd33aacc82eeab38b9

      SHA256

      9ef30b460e7997a5a6329e73ec143de65519b8eeb25ab7d55cd241e8887b10ae

      SHA512

      e7f7877a1c07e9313a0f8d681364eb426cbe5e78376e53eef4b8dc93c22ceb7fc481197632bbc00e2ed836514c9cef532866115b8f0a86d78b8503c128d77eee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ihdgdwrq\ihdgdwrq.pdb
      MD5

      38a019dd85510aa2c0d2788c0bd27e5f

      SHA1

      34242f2d4edf80fc755d0c4c85ca00756d28fbb0

      SHA256

      73ea7e4415c20f84d723e44ce3e8391afeb30406ffa10e927745e07a454fff35

      SHA512

      4c4e401f1a8320ff5f49a8fd7a82d7b86e93533ac0c36159250a9409bd70adede919d5173631a93a2440ada47a8a25b54718b4bd6a84f14edf76bf42fb29eceb

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ihdgdwrq\CSC701C7815B034A1B826475FDA9CB3E6F.TMP
      MD5

      d0b991becd526f5fe6161e4e3e77fb69

      SHA1

      880defef6b7894ec2a8b1fa9917d1350e8d7b77f

      SHA256

      65b5089670f89944f81d2f7989a2629ef1407a80b517c30a8adebb5cee0a6cd8

      SHA512

      76868132e72fec06bff4e92a5cb34cbe7c31e0f6c552f4829d8938aed0b465de0acf25dfb6e362d7465293736a8b5ae24fc630c7eefb984ecec9d82a19b4968e

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ihdgdwrq\ihdgdwrq.0.cs
      MD5

      63d773f21162ad8964b0b6195aa7b99c

      SHA1

      bd17198070deb92e57acd6d70771bea4de3cf0c3

      SHA256

      59d178be1e411f4a487ec04ed9c216f4c4f0701adfcd28c561492ac55c625fba

      SHA512

      ea57f2f22afb7c461859afa85a3702ef881d56adc9a54f6b8f9003d11c1adff6addaa4c521fd65283d33229c8676921db2919ea7c945c8920465a370081e060c

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\ihdgdwrq\ihdgdwrq.cmdline
      MD5

      d6f5f2f55343503a39681a7b052f393d

      SHA1

      418ceb11eda9a47fdc1acc0ea137c6f5ffdf38d9

      SHA256

      d79b0406b805de73ec9c5dcacbe92fb52ecde84e09764e4ce34fcea7316da1d6

      SHA512

      5ad19b0e92304ae5213b627f15bc60b18281f9e194ef90df157fe3be9eabb077aecb1a6e179d6dacf6b90b6cd23d7785d1d5b0f359263a99da56cf7d7daea103

      Download Submit
    • memory/2592-134-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2592-132-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2592-133-0x00000000004139DE-mapping.dmp
      Download
    • memory/3704-120-0x0000000005690000-0x0000000005691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3704-126-0x0000000002EB0000-0x0000000002EB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3704-127-0x0000000005590000-0x0000000005591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3704-128-0x0000000005660000-0x0000000005684000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3704-129-0x0000000005580000-0x0000000005586000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3704-130-0x00000000059A0000-0x00000000059BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3704-131-0x0000000005BC0000-0x0000000005BC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3704-115-0x0000000000D60000-0x0000000000D61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4092-121-0x0000000000000000-mapping.dmp
      Download
    • memory/4180-117-0x0000000000000000-mapping.dmp
      Download