Overview

overview

10

Static

static

vbc.exe

windows7_x64

10

vbc.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    26-10-2021 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbc.exe

  • Size

    256KB

  • MD5

    c30565830025332db48b9f38ddb2ab3f

  • SHA1

    63219e001fc7baada4d0168d2b64dbb73dfdcd3e

  • SHA256

    63302fc8ec38235750576f3a3c2e0566cd3392074d0a56aeb466e5c8611aeabd

  • SHA512

    70a0d348bd5e7e4895d73971514bbe658ba6e927b5ce349134059e6bd5dcbe99fb244b63c60d2417fb66424a91f2acaff2dcbe9d1732644993cb9312a6dabfb2

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://63.250.40.204/~wpdemo/file.php?search=475803

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/836-55-0x0000000000890000-0x0000000000891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-57-0x0000000076531000-0x0000000076533000-memory.dmp
    Filesize

    8KB

    Download
  • memory/836-58-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-59-0x000000007EF40000-0x000000007EF41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-60-0x0000000000590000-0x0000000000597000-memory.dmp
    Filesize

    28KB

    Download
  • memory/836-61-0x00000000007B0000-0x00000000007EB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/1660-62-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-63-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-64-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-65-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-66-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-67-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1660-68-0x00000000004139DE-mapping.dmp
    Download
  • memory/1660-70-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download