Analysis
-
max time kernel
157s -
max time network
157s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
08-11-2021 23:16
General
-
Target
9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe
-
Size
323KB
-
MD5
4038f440c0d6f5d10280803843645ab0
-
SHA1
bc093bdb85b04517c8a6feae8b2d95c9b8f7fb95
-
SHA256
9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0
-
SHA512
22dd15ec16f7731913b9ed2ecfb952bf9c44ecfe1b9aaf67447e5252a2b0209631d1a9ba7d5097e2b9fd0a8675e84476a7fcfce36720fa7d3b7f487146042d9f
Malware Config
Extracted
lokibot
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 53 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"C:\Users\Admin\AppData\Local\Temp\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exeMD5
d8b456824ddc672a6d2edec9a919ba19
SHA185842e7dd1bacb15db7512463451cb1cbe9e65f5
SHA25662cbf056f59437f05c8b98ff324ac9a3edb1dc122ad1c2353d078385b8f6bbf6
SHA512cbb4bac472725841109cb77002084c43d292f4a73c3057e17d3d425cd77e72038cfd622468d6a622e11fe0637309f152cf6b674ca1fad5bd8907df50b7408359
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exeMD5
d8b456824ddc672a6d2edec9a919ba19
SHA185842e7dd1bacb15db7512463451cb1cbe9e65f5
SHA25662cbf056f59437f05c8b98ff324ac9a3edb1dc122ad1c2353d078385b8f6bbf6
SHA512cbb4bac472725841109cb77002084c43d292f4a73c3057e17d3d425cd77e72038cfd622468d6a622e11fe0637309f152cf6b674ca1fad5bd8907df50b7408359
-
C:\Users\Admin\AppData\Local\Temp\3582-490\9a8dfb9176f7398d42433f00e4093b1f2a54fe9fd4b6ee00f9ef9fba87bc88f0.exeMD5
d8b456824ddc672a6d2edec9a919ba19
SHA185842e7dd1bacb15db7512463451cb1cbe9e65f5
SHA25662cbf056f59437f05c8b98ff324ac9a3edb1dc122ad1c2353d078385b8f6bbf6
SHA512cbb4bac472725841109cb77002084c43d292f4a73c3057e17d3d425cd77e72038cfd622468d6a622e11fe0637309f152cf6b674ca1fad5bd8907df50b7408359
-
\Users\Admin\AppData\Local\Temp\nsaF86B.tmp\yexhkcaziew.dllMD5
b49ad4d76763c2482d3ac191d97739d7
SHA16da0995a10b97a72f6f0f8adac52ac5c8904c5a1
SHA256efc9daac94a3fa8e37709aff4cedc208b106dedf02a9c52265af0f93914fd5d3
SHA512f2aaee43a19cb795c5cca11a63fa4ba410eabb1f5288d6e5d411ccca29060d2b8468a94ad441aa37d9edf56094482359e0b455b62afc0aab9a9e49c6f7a58017
-
memory/1972-119-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1972-120-0x00000000004139DE-mapping.dmp
-
memory/1972-122-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3400-115-0x0000000000000000-mapping.dmp