Analysis

  • max time kernel
    133s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    23-02-2022 13:08

General

  • Target

    33e915c5057bbb6481b2d492d1bde0ed.exe

  • Size

    281KB

  • MD5

    33e915c5057bbb6481b2d492d1bde0ed

  • SHA1

    61c5cb98ab708ad84cb367db83df804ff651918e

  • SHA256

    1960cdd2c85eb563f15831012f4afe994ed4da25091b6d89b81563d5217a4484

  • SHA512

    05dd3071aa006a3bc86f22953bf96f01bb6d286e1cbc20d2c946dab0c9c7f9cff977816a80b930a889d9bcbe9115b4b06e3ffa6dbdbe2c4e2581c34ca30e7bb5

Malware Config

Extracted

Family

lokibot

C2

http://brokenskulltechnologies.tk/BN1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33e915c5057bbb6481b2d492d1bde0ed.exe
    "C:\Users\Admin\AppData\Local\Temp\33e915c5057bbb6481b2d492d1bde0ed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe
      C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe C:\Users\Admin\AppData\Local\Temp\utxlkafazn
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe
        C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe C:\Users\Admin\AppData\Local\Temp\utxlkafazn
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\p96bsbyl0epr5hx3k0jr

    MD5

    0630bbdb7f048ab5198aee798cd8a27b

    SHA1

    c00744a23f0adbc9d95c18ed3d59a9182193d2d4

    SHA256

    14256ae3234ae106d4c6dadbadb7b371a737cd0125b76d4b7e3efb08a4f8a337

    SHA512

    f48ed51130d6fc59cf103b1386ed806703f656461d8c2da5930d22387f2508670f39b37427fb429b024d37ccfae31786026322ac9deddc90cd4a994fdd002130

  • C:\Users\Admin\AppData\Local\Temp\utxlkafazn

    MD5

    46488a7dab4fccb5c9dd1ea962dc0932

    SHA1

    3fcf73e0b63a4905e33c38934f39d44ac5412684

    SHA256

    f5bad29b2277274a07921fc52792c3533c2cab15d3ba1df4f0d3f265e97c888e

    SHA512

    b4d7acb12fc39f463c25798c65d929eda77b4cfc2813146bceb6577295037cec3712eb7880ff5631507e62b30c67e5d51f7e7ee487641b9c4ae37b478787d5a9

  • C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe

    MD5

    0e84baf1081cea7fbdb4e5ae59a92e41

    SHA1

    ed219f13658e55bfa21dc6c7b082238ca9741113

    SHA256

    2d74ad39ba03c6b9aeed278383050ebf42b61451bde1865495504ef4dc043514

    SHA512

    901d73bdb64929d260b2d8af25009f27a8c7ebce26a9d221e4bac47564156e406443c6464efaa00efe172abbdbcfe3e87631ce83f486a870cbefbf34eff9899a

  • C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe

    MD5

    0e84baf1081cea7fbdb4e5ae59a92e41

    SHA1

    ed219f13658e55bfa21dc6c7b082238ca9741113

    SHA256

    2d74ad39ba03c6b9aeed278383050ebf42b61451bde1865495504ef4dc043514

    SHA512

    901d73bdb64929d260b2d8af25009f27a8c7ebce26a9d221e4bac47564156e406443c6464efaa00efe172abbdbcfe3e87631ce83f486a870cbefbf34eff9899a

  • C:\Users\Admin\AppData\Local\Temp\xeenxkkwy.exe

    MD5

    0e84baf1081cea7fbdb4e5ae59a92e41

    SHA1

    ed219f13658e55bfa21dc6c7b082238ca9741113

    SHA256

    2d74ad39ba03c6b9aeed278383050ebf42b61451bde1865495504ef4dc043514

    SHA512

    901d73bdb64929d260b2d8af25009f27a8c7ebce26a9d221e4bac47564156e406443c6464efaa00efe172abbdbcfe3e87631ce83f486a870cbefbf34eff9899a

  • memory/632-134-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/632-136-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB