Analysis
-
max time kernel
108s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 08:10
General
-
Target
f184c7be5715b6cee3458d2b830788cf.exe
-
Size
263KB
-
MD5
f184c7be5715b6cee3458d2b830788cf
-
SHA1
83134dbda0337c6f5a41773b6d430bd227b4d6bf
-
SHA256
c2853161b03051757ee439842cf28a6526872c9898183a21deeb7fca109e4ff6
-
SHA512
4e89ae3793afd18a79c94a7cdddcbbea2122f5c133e7b6f30960b7076343325df4c2fb72b9a0f8e06c3dc4d70831d7b3f97db04a33eb32988babefa9d8254bbb
Malware Config
Extracted
lokibot
http://bobbyelectronics.xyz/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"C:\Users\Admin\AppData\Local\Temp\f184c7be5715b6cee3458d2b830788cf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3304-116-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/3304-118-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/3304-119-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3304-120-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/3304-121-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/3304-122-0x00000000056C0000-0x00000000056C7000-memory.dmpFilesize
28KB
-
memory/3304-123-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/3304-124-0x0000000006060000-0x000000000609C000-memory.dmpFilesize
240KB
-
memory/3696-125-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3696-126-0x00000000004139DE-mapping.dmp
-
memory/3696-127-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB