Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 06:46
Static task
static1
Behavioral task
behavioral1
Sample
90397a5fdff62ca9efc2e2edb989f88f.exe
Resource
win7-en-20210920
General
-
Target
90397a5fdff62ca9efc2e2edb989f88f.exe
-
Size
420KB
-
MD5
90397a5fdff62ca9efc2e2edb989f88f
-
SHA1
ee5a253e9589385e41b1a39b740d2eaac6804ed7
-
SHA256
c35926d69dc7156a41885046951fdbc724e3aabeb3178f206d1829e27ba462e0
-
SHA512
992d03e15b6bf92ebbf51bf51efaf36d92c0f75ea001a523c16406ab2254bf8adb4998881948775d28e51fe13ca433f39eccc6627076dcd66e348eec8357eba6
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=9099522
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 90397a5fdff62ca9efc2e2edb989f88f.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 90397a5fdff62ca9efc2e2edb989f88f.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 90397a5fdff62ca9efc2e2edb989f88f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription pid process target process PID 4304 set thread context of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription pid process Token: SeDebugPrivilege 3300 90397a5fdff62ca9efc2e2edb989f88f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription pid process target process PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe PID 4304 wrote to memory of 3300 4304 90397a5fdff62ca9efc2e2edb989f88f.exe 90397a5fdff62ca9efc2e2edb989f88f.exe -
outlook_office_path 1 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 90397a5fdff62ca9efc2e2edb989f88f.exe -
outlook_win_path 1 IoCs
Processes:
90397a5fdff62ca9efc2e2edb989f88f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 90397a5fdff62ca9efc2e2edb989f88f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90397a5fdff62ca9efc2e2edb989f88f.exe"C:\Users\Admin\AppData\Local\Temp\90397a5fdff62ca9efc2e2edb989f88f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\90397a5fdff62ca9efc2e2edb989f88f.exe"C:\Users\Admin\AppData\Local\Temp\90397a5fdff62ca9efc2e2edb989f88f.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3300-124-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3300-125-0x00000000004139DE-mapping.dmp
-
memory/3300-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4304-115-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/4304-117-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/4304-118-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/4304-119-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/4304-120-0x0000000005360000-0x00000000053F2000-memory.dmpFilesize
584KB
-
memory/4304-121-0x00000000061E0000-0x00000000061E7000-memory.dmpFilesize
28KB
-
memory/4304-122-0x0000000009110000-0x0000000009111000-memory.dmpFilesize
4KB
-
memory/4304-123-0x00000000090B0000-0x00000000090EC000-memory.dmpFilesize
240KB