Analysis

  • max time kernel
    206s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-04-2022 13:36

General

  • Target

    c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167.exe

  • Size

    122KB

  • MD5

    3a03e80e3178b42899065511c3842b59

  • SHA1

    e374aae94e475aaa9a8ad7cb0a7f72c9e4e8c326

  • SHA256

    c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167

  • SHA512

    3895598a68d7e630d635c7cdab73339b14dae04a28e01f4b5ca06cafc3b912fed12a2c125def9b8385b2bc2ccda6d6d09ccf7cbf906046560ed8bc475c835722

Malware Config

Extracted

Family

lokibot

C2

http://panel-report-logs.ml/nnajnr/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167.exe
    "C:\Users\Admin\AppData\Local\Temp\c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe
      C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe C:\Users\Admin\AppData\Local\Temp\gtpoyjbk
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe
        C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe C:\Users\Admin\AppData\Local\Temp\gtpoyjbk
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3088

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4h48dz4ylt368kesa

    Filesize

    103KB

    MD5

    6ab5f34b0162b0155a58a16cf925b5f4

    SHA1

    1bf585184fb51bc0220a0ca7be6ea84f752ff684

    SHA256

    c29a2260d9013915d3ea8600aa69d2a869e9439122378c7faa2e16bd299c5c14

    SHA512

    b75f6581036814156b06320ecb1dc065e8fc3a3c5afb3a1353173e18988946e37ac42bb43e15bc3e5153e2e71ab793529f68d9c5435cf150dd640d37bb85ed41

  • C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe

    Filesize

    3KB

    MD5

    18ce22474748c18844ff0aa59d373ef8

    SHA1

    b96d92d60a789bc20d3559f9bcfbdc00fbcaef48

    SHA256

    ff29986d18146c430c2c94f803f4aa8ca7465f0e35597d5f4719d85ae7930dec

    SHA512

    6f186f041869629acb5c7ec65f6d419579a5f9b02b626819733e5640ce4926e135e37f62c9c14c35f0b792a01617c81603cdbfc8053091a240df6caa8e8883c6

  • C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe

    Filesize

    3KB

    MD5

    18ce22474748c18844ff0aa59d373ef8

    SHA1

    b96d92d60a789bc20d3559f9bcfbdc00fbcaef48

    SHA256

    ff29986d18146c430c2c94f803f4aa8ca7465f0e35597d5f4719d85ae7930dec

    SHA512

    6f186f041869629acb5c7ec65f6d419579a5f9b02b626819733e5640ce4926e135e37f62c9c14c35f0b792a01617c81603cdbfc8053091a240df6caa8e8883c6

  • C:\Users\Admin\AppData\Local\Temp\gswlpnzal.exe

    Filesize

    3KB

    MD5

    18ce22474748c18844ff0aa59d373ef8

    SHA1

    b96d92d60a789bc20d3559f9bcfbdc00fbcaef48

    SHA256

    ff29986d18146c430c2c94f803f4aa8ca7465f0e35597d5f4719d85ae7930dec

    SHA512

    6f186f041869629acb5c7ec65f6d419579a5f9b02b626819733e5640ce4926e135e37f62c9c14c35f0b792a01617c81603cdbfc8053091a240df6caa8e8883c6

  • C:\Users\Admin\AppData\Local\Temp\gtpoyjbk

    Filesize

    4KB

    MD5

    18cf2cefae5c4a6fb289379526523d38

    SHA1

    04b390c1a78d148d4ed5513ada723954a988b0bd

    SHA256

    0cfa5a5e0b2aa239cbfb4a60d378b1b5fef8aef6fdc06f732589b68700ccad72

    SHA512

    214773122f7636ec801abc5cc2bbe9f3625aa0142db724764580baf9ba495be32e6a3d4ea361a2a138c61761057fd9810091e8881b930dcd756bd086243ce16d

  • memory/3088-135-0x0000000000000000-mapping.dmp

  • memory/3088-136-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3088-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/3088-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/4772-130-0x0000000000000000-mapping.dmp