Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 03:53
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211014
General
-
Target
vbc.exe
-
Size
256KB
-
MD5
c30565830025332db48b9f38ddb2ab3f
-
SHA1
63219e001fc7baada4d0168d2b64dbb73dfdcd3e
-
SHA256
63302fc8ec38235750576f3a3c2e0566cd3392074d0a56aeb466e5c8611aeabd
-
SHA512
70a0d348bd5e7e4895d73971514bbe658ba6e927b5ce349134059e6bd5dcbe99fb244b63c60d2417fb66424a91f2acaff2dcbe9d1732644993cb9312a6dabfb2
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=475803
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 836 set thread context of 1660 836 vbc.exe vbc.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
vbc.exepid process 1660 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1660 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
vbc.exedescription pid process target process PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe PID 836 wrote to memory of 1660 836 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-55-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/836-57-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/836-58-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/836-59-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/836-60-0x0000000000590000-0x0000000000597000-memory.dmpFilesize
28KB
-
memory/836-61-0x00000000007B0000-0x00000000007EB000-memory.dmpFilesize
236KB
-
memory/1660-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1660-68-0x00000000004139DE-mapping.dmp
-
memory/1660-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB