Overview

overview

10

Static

static

301747d499...9d.exe

windows7_x64

10

301747d499...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    87s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d.exe

  • Size

    148KB

  • MD5

    ca44a3a8334d049e806e9e02f2c764f8

  • SHA1

    4484b6795336e063747d7157cfddd15c7c218ca6

  • SHA256

    301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d

  • SHA512

    5404d0f741e65937bdd0c0ec077fda9a3681b7bc6e12a579e8129e1ccc10aa53d0a47bba0f0bd7298cffc10efb19f4f4eec233e3cf2d0750d5545b9ab98cc73a

Score
10/10
lokibotspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://103.194.170.48/update/GISVOUH/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d.exe
    "C:\Users\Admin\AppData\Local\Temp\301747d4995adca377535e08bc8509235fd4d17b0fdda6dcd0a80e67a7b3669d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kydbm31\3kydbm31.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3786.tmp" "c:\Users\Admin\AppData\Local\Temp\3kydbm31\CSC295786336CC4BF4B135BFA279B5916.TMP"
        3⤵
          PID:3436
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:668

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3kydbm31\3kydbm31.dll
      MD5

      85bf3314fda2a9d05b571899fe9f1710

      SHA1

      acda8ddcf739f5768b972c266030fb6f895d4396

      SHA256

      1acb04f05477205c44e993aa97fd7122b0edb6f7f8c78b3b24543fbb4e233359

      SHA512

      3823a72b3986ccca6ef3cb2d7b6fbc6976b57abeb6fc04326a89ad634c9b98c23f7f05b2ea0a300de200137cd29ed15086639dfacb429b659ed7cb79e7bbe6e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3kydbm31\3kydbm31.pdb
      MD5

      1709a74fa304a789937ea18edfb8366e

      SHA1

      7964b3d09e09181998a50c239fee27e1272bbb06

      SHA256

      8b9aedd7dacb8f57b9d459cf22c82f4ee4aeeafeb802a18fbaa748f09fa7d13a

      SHA512

      926b8bee6d85053f82fab779bd2b5129e87d9af9f6da475b92ed5691a66221ffabc0dbdb4d93dc1336d7fa90ef7a30f8dfe83f9b64a2406f1f6bd2d82ee235c2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RES3786.tmp
      MD5

      5a561302edad18af3c1661f78aa1006e

      SHA1

      2dd1464b66063af782cadda16d1aa723e7e8caa6

      SHA256

      316be86ddfe9d8efa28cf1231c9a621e13599216e276e58f73e82dbeff372ca5

      SHA512

      3f99c2e74b947be979b4786e5450fd5709f4b33cdc56feb045643fc294e4caef9b459c67e405cb8301ab20e0b728a678bf6a88a55bbbe184125a5af3f2547bdb

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\3kydbm31\3kydbm31.0.cs
      MD5

      63d773f21162ad8964b0b6195aa7b99c

      SHA1

      bd17198070deb92e57acd6d70771bea4de3cf0c3

      SHA256

      59d178be1e411f4a487ec04ed9c216f4c4f0701adfcd28c561492ac55c625fba

      SHA512

      ea57f2f22afb7c461859afa85a3702ef881d56adc9a54f6b8f9003d11c1adff6addaa4c521fd65283d33229c8676921db2919ea7c945c8920465a370081e060c

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\3kydbm31\3kydbm31.cmdline
      MD5

      20f377be1c848960f89dfd101ba137c3

      SHA1

      645b22ecbd450a65b4c094cd2f2dcc5ba6a29181

      SHA256

      4db0632d585cecc247143934aabe5403e877fb9d960407c63bebb8ecf06d2702

      SHA512

      fe8f2600ef4d141dbf15f8ea4d2b43102a4ddd6e2c13b78c8f6431ef3251d648e27eaadb0e5990a212408f7e668a0c059cc06210a7e103a58e1b06ac04d174a8

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\3kydbm31\CSC295786336CC4BF4B135BFA279B5916.TMP
      MD5

      484e09ab65392739e90bd1785f41e3fc

      SHA1

      c00b7b50f8e40204532f99db79acd77ba686a2a2

      SHA256

      770926eee958b40af7cb7c5a7b6d6b59cf510ad9182f89eb79f6bc6d33a118e4

      SHA512

      8b7f7acb88e0094e0a625829ba53ee08429435606e6c3ca4892c0992f0d183c17a91134109b27b82a494a254f22f1cc0ec11cd7c182a9ad249aec69f27ef97ed

      Download Submit
    • memory/668-132-0x00000000004139DE-mapping.dmp
      Download
    • memory/668-133-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/668-131-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/1832-125-0x0000000003180000-0x0000000003182000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1832-114-0x0000000000E30000-0x0000000000E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1832-126-0x00000000057B0000-0x00000000057B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1832-127-0x0000000005B70000-0x0000000005B94000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1832-128-0x00000000057A0000-0x00000000057A6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1832-129-0x0000000005BB0000-0x0000000005BCA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1832-130-0x0000000005DD0000-0x0000000005DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1832-116-0x0000000003170000-0x0000000003171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3044-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3436-120-0x0000000000000000-mapping.dmp
      Download