Overview

overview

10

Static

static

4cea5d8cb3...0a.msi

windows7_x64

10

4cea5d8cb3...0a.msi

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4cea5d8cb3e0a17e942812e31667120a

  • Size

    124KB

  • Sample

    211019-mr94fsgfaj

  • MD5

    4cea5d8cb3e0a17e942812e31667120a

  • SHA1

    c526373cc21495053cdf3ff735f10e4f031659b7

  • SHA256

    be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a

  • SHA512

    1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7

Score
10/10
guloaderlokibotcollectiondownloaderpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=6446112

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      4cea5d8cb3e0a17e942812e31667120a

    • Size

      124KB

    • MD5

      4cea5d8cb3e0a17e942812e31667120a

    • SHA1

      c526373cc21495053cdf3ff735f10e4f031659b7

    • SHA256

      be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a

    • SHA512

      1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7

    Score
    10/10
    guloaderdownloaderpersistencelokibotcollectionspywarestealersuricatatrojan

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Executes dropped EXE

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks