Analysis
-
max time kernel
148s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
Resource
win10-en-20211104
General
-
Target
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
-
Size
185KB
-
MD5
9ff3b37069e0772af03732b022c02789
-
SHA1
ebaa34d6e69a4a33ad40ac64791b5f6366b7be9c
-
SHA256
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b
-
SHA512
a7adfcd88ed04c03a93406eca63824eea8a71dd3471bde3e8217a1c184db064eff90c73a0036bfd36a908f45761454f0344166de6a8e07ee83b57588fffa6dee
Malware Config
Extracted
lokibot
http://63.250.34.171/tickets.php?id=156
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 1 IoCs
Processes:
Form_Pilleorms8.exepid process 4224 Form_Pilleorms8.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Form_Pilleorms8.exeForm_Pilleorms8.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Form_Pilleorms8.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Form_Pilleorms8.exe -
Loads dropped DLL 1 IoCs
Processes:
Form_Pilleorms8.exepid process 4160 Form_Pilleorms8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Form_Pilleorms8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Form_Pilleorms8.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Form_Pilleorms8.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Form_Pilleorms8.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
Form_Pilleorms8.exepid process 4160 Form_Pilleorms8.exe 4160 Form_Pilleorms8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Form_Pilleorms8.exeForm_Pilleorms8.exepid process 4224 Form_Pilleorms8.exe 4160 Form_Pilleorms8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Form_Pilleorms8.exedescription pid process target process PID 4224 set thread context of 4160 4224 Form_Pilleorms8.exe Form_Pilleorms8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Form_Pilleorms8.exepid process 4224 Form_Pilleorms8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Form_Pilleorms8.exedescription pid process Token: SeDebugPrivilege 4160 Form_Pilleorms8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Form_Pilleorms8.exepid process 4224 Form_Pilleorms8.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exeForm_Pilleorms8.exedescription pid process target process PID 2140 wrote to memory of 4224 2140 18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe Form_Pilleorms8.exe PID 2140 wrote to memory of 4224 2140 18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe Form_Pilleorms8.exe PID 2140 wrote to memory of 4224 2140 18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe Form_Pilleorms8.exe PID 4224 wrote to memory of 4160 4224 Form_Pilleorms8.exe Form_Pilleorms8.exe PID 4224 wrote to memory of 4160 4224 Form_Pilleorms8.exe Form_Pilleorms8.exe PID 4224 wrote to memory of 4160 4224 Form_Pilleorms8.exe Form_Pilleorms8.exe PID 4224 wrote to memory of 4160 4224 Form_Pilleorms8.exe Form_Pilleorms8.exe -
outlook_office_path 1 IoCs
Processes:
Form_Pilleorms8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Form_Pilleorms8.exe -
outlook_win_path 1 IoCs
Processes:
Form_Pilleorms8.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Form_Pilleorms8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe"C:\Users\Admin\AppData\Local\Temp\18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exeC:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exe2⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exeC:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exe3⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exeMD5
6196b71b6602aa420325b1124c64b20a
SHA1b6a72182d7d0f755a14541b4d2bca13c19813d53
SHA2566ea314c3effead199543501a9301f0f13ccb3a01d9bd7f67e4f6803144241571
SHA512c0b47dcf76fd4b6074827bd41b19bb751e06bd5d3ff41fbb37b8a7f267fef03a26b12704d5c026b684b48c6201854450b013d6ae5f94512a1d36d3def911d6c7
-
C:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exeMD5
6196b71b6602aa420325b1124c64b20a
SHA1b6a72182d7d0f755a14541b4d2bca13c19813d53
SHA2566ea314c3effead199543501a9301f0f13ccb3a01d9bd7f67e4f6803144241571
SHA512c0b47dcf76fd4b6074827bd41b19bb751e06bd5d3ff41fbb37b8a7f267fef03a26b12704d5c026b684b48c6201854450b013d6ae5f94512a1d36d3def911d6c7
-
C:\Users\Admin\AppData\Local\Temp\Form_Pilleorms8.exeMD5
6196b71b6602aa420325b1124c64b20a
SHA1b6a72182d7d0f755a14541b4d2bca13c19813d53
SHA2566ea314c3effead199543501a9301f0f13ccb3a01d9bd7f67e4f6803144241571
SHA512c0b47dcf76fd4b6074827bd41b19bb751e06bd5d3ff41fbb37b8a7f267fef03a26b12704d5c026b684b48c6201854450b013d6ae5f94512a1d36d3def911d6c7
-
memory/4160-130-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/4160-126-0x0000000000401314-mapping.dmp
-
memory/4160-128-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/4160-132-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4160-133-0x00007FF9381F0000-0x00007FF9383CB000-memory.dmpFilesize
1.9MB
-
memory/4160-134-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/4160-135-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/4224-124-0x00007FF9381F0000-0x00007FF9383CB000-memory.dmpFilesize
1.9MB
-
memory/4224-125-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/4224-123-0x0000000006570000-0x0000000006585000-memory.dmpFilesize
84KB
-
memory/4224-118-0x0000000000000000-mapping.dmp
-
memory/4224-131-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB