Overview

overview

10

Static

static

10

d81601b026...87.exe

windows7_x64

10

d81601b026...87.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    171s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d81601b02629332411d2788bf2d04887.exe

  • Size

    284KB

  • MD5

    d81601b02629332411d2788bf2d04887

  • SHA1

    549c21b14e473ce091d78e7813dca84633d7cf9e

  • SHA256

    9ac23aff214fbb52d4009b72d05fb6d51aacb1e62e447857c435745875d6b550

  • SHA512

    2745d2f931f996ad98adfc75112e910343dfd8669fed2865f2c2e183cf2e554da9ea8e29b590b5d39b6b275c6f08136c336f9fb0f01fca49a6092b9a3959525d

Score
10/10
lokibotneshtacollectionpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.186/baba/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe
    "C:\Users\Admin\AppData\Local\Temp\d81601b02629332411d2788bf2d04887.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe
    MD5

    05890563d5c5a2136b6bb1b42e8961ec

    SHA1

    3ad235895a535da1025e18d214cd35d87c710002

    SHA256

    d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52

    SHA512

    17f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe
    MD5

    05890563d5c5a2136b6bb1b42e8961ec

    SHA1

    3ad235895a535da1025e18d214cd35d87c710002

    SHA256

    d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52

    SHA512

    17f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\d81601b02629332411d2788bf2d04887.exe
    MD5

    05890563d5c5a2136b6bb1b42e8961ec

    SHA1

    3ad235895a535da1025e18d214cd35d87c710002

    SHA256

    d095f19dcf8fefada3b643f7d79fd6ea4d9ae7edfb1658d0808b55f7fbad8f52

    SHA512

    17f34155ec38aa066c1a27b7ab3e06d79ca87f24208f24786687cb9ad73780c2bd28b0a4f59281fd80dcdf1c896500aeb1a55ee259209735642842c2d2490d42

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nseF436.tmp\olgykg.dll
    MD5

    629f6e27822c8a119bf9261602765bfb

    SHA1

    bf83d84b83f4b2eadac20b65100b8369e6dfa5a6

    SHA256

    c31b4b0f6e31c68ec550b8ca09dceb647cae82ca3261da33a47581b229249dd0

    SHA512

    554fca2328e4f11d4c6e590af00b74dab506ede3386a4dbdb547943696be885d8316f9e77a16f3c706ae4a69948153bca55073e7f36baa8547760e7e92f5abe7

    Download Submit
  • memory/796-121-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/796-124-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1312-123-0x0000000002220000-0x0000000002224000-memory.dmp
    Filesize

    16KB

    Download