Overview

overview

10

Static

static

aviso de p...021.js

windows7_x64

10

aviso de p...021.js

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    01-12-2021 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aviso de pago del 01.12.2021.js

  • Size

    1KB

  • MD5

    a72ddb16e0e559006f5ca0979b106d00

  • SHA1

    dae0f29d09639c379646e43f47bce5bbda853e45

  • SHA256

    f659f61db048294e47a6c0e868b2564559254de105e013ade05cbc8b9d87aff8

  • SHA512

    011a0171e30d6fb71df7716287eca3c2f44067f984115f67726ba69a328bea6b2bd3a3b53a2752a8508ec00a69c9b1be3a1926072bdea7653d42a507d6cd7b14

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://secure01-redirect.net/fx/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\aviso de pago del 01.12.2021.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\rt.exe
      "C:\Users\Admin\AppData\Local\Temp\rt.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Users\Admin\AppData\Local\Temp\rt.exe
        "C:\Users\Admin\AppData\Local\Temp\rt.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1144

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rt.exe
    MD5

    d0fc2f15a3a4e69b737217ee57b52d09

    SHA1

    ce4dffbc0a397d8464d3000b5ef931d352b2309a

    SHA256

    fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a

    SHA512

    690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rt.exe
    MD5

    d0fc2f15a3a4e69b737217ee57b52d09

    SHA1

    ce4dffbc0a397d8464d3000b5ef931d352b2309a

    SHA256

    fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a

    SHA512

    690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rt.exe
    MD5

    d0fc2f15a3a4e69b737217ee57b52d09

    SHA1

    ce4dffbc0a397d8464d3000b5ef931d352b2309a

    SHA256

    fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a

    SHA512

    690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsdC5C0.tmp\xdgcjrq.dll
    MD5

    c5e26cc7e87195f4fe60189e58f60371

    SHA1

    e9acc1ea2db931dbeb1f2f4aedd9c1fcef89fc3c

    SHA256

    bac4d9fc17676966d79a8d08df8b7a4e3bc524801d0bd9df09f18f22c6cce6a5

    SHA512

    642df9f87b94f3cd95003611fa19497e431647dec6dd1fc9b107b345c2c188c93625aca233037378cfbdb31036b8835c1fa3800c41abfc5ad78b336fab29a21a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\rt.exe
    MD5

    d0fc2f15a3a4e69b737217ee57b52d09

    SHA1

    ce4dffbc0a397d8464d3000b5ef931d352b2309a

    SHA256

    fd0a42afaecfda32493063d664918e84688419a604f8b00c4113ca85dc8a193a

    SHA512

    690d745cb08761addb66a43a916c79dbcdec9a2ecfcd77f3f5d2385392a1a3f75448e04c58d4f3d9267fcf41b5b19da9a35cfe56ac23f69667f60f2d592eb341

    Download Submit
  • memory/592-55-0x0000000000000000-mapping.dmp
    Download
  • memory/592-57-0x00000000753E1000-0x00000000753E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1144-61-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1144-62-0x00000000004139DE-mapping.dmp
    Download
  • memory/1144-65-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download