Overview

overview

10

Static

static

b6dd379ab3...e1.exe

windows7_x64

10

b6dd379ab3...e1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    181s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6dd379ab3103cb7e18e3e284d100b7d248bc270a1eebb20189ebec5ec5884e1.exe

  • Size

    207KB

  • MD5

    bfc3dc4f6cc804cbe44e898639b598a6

  • SHA1

    b9ce3dca1af546364cc719d9263d39869622f064

  • SHA256

    b6dd379ab3103cb7e18e3e284d100b7d248bc270a1eebb20189ebec5ec5884e1

  • SHA512

    90670483faec35ab8d6d4c6f4221cfb3d6584bea6f16f82edddc8156e6cb890ea7cefdca351a34d6024062d87ce947a88e5d52e580f46c177f74868f80ed5a94

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

https://umenako.co.vu/otm/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6dd379ab3103cb7e18e3e284d100b7d248bc270a1eebb20189ebec5ec5884e1.exe
    "C:\Users\Admin\AppData\Local\Temp\b6dd379ab3103cb7e18e3e284d100b7d248bc270a1eebb20189ebec5ec5884e1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe
      C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe C:\Users\Admin\AppData\Local\Temp\pdbugmp
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe
        C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe C:\Users\Admin\AppData\Local\Temp\pdbugmp
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4t4p635tl9td9h6gva7
    Filesize

    103KB

    MD5

    89b71ccc2b31d4356111adeea3dcd8c0

    SHA1

    542037bb7ce7975ef482c6806799a773aa33c542

    SHA256

    60503820d0fa9988a4b0820a1bd97958a22dd78ed0d268965920d701ded5df33

    SHA512

    ba038aabf83fc4036090624eee9bc5602dfafdf5a48931889588088af337d5fa20f1f499ac0fe7300e3d0236326dcf4763e20a788a7be16df5cecc9a81b13d6a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pdbugmp
    Filesize

    4KB

    MD5

    81541c6bc1eaa973453b4ffd7a39b044

    SHA1

    0bc82726af813223905f66a109166a0ac065696d

    SHA256

    d879fb192ee5162b734b8c3f105200698ae5946b0a2f51f485eb6990cb500028

    SHA512

    a5284b7c44c4027e0c571f0f07e54f9dd0323926cb62c1675486afeb55849fded9fc32560f423319422937f6bed106f91b53fff0906449c9ef29412e79b7a572

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe
    Filesize

    133KB

    MD5

    f7e6c5413e94bda2ba0d072c0f94e534

    SHA1

    1f15d52d167797f5ad10d3be6cbb47dac8aef84d

    SHA256

    722eb9345ddf470068954a500544e69e849a789d629c2fe8bcdc4d773f66cec8

    SHA512

    c51f289ea5faf527e1e0884fc31df4130b487728fdafdd5523207091d0c0f3655ad8a697410a4c901a48adb4e3e815ddf466b3447864017376a84034f5178862

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe
    Filesize

    133KB

    MD5

    f7e6c5413e94bda2ba0d072c0f94e534

    SHA1

    1f15d52d167797f5ad10d3be6cbb47dac8aef84d

    SHA256

    722eb9345ddf470068954a500544e69e849a789d629c2fe8bcdc4d773f66cec8

    SHA512

    c51f289ea5faf527e1e0884fc31df4130b487728fdafdd5523207091d0c0f3655ad8a697410a4c901a48adb4e3e815ddf466b3447864017376a84034f5178862

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rpybgslqrk.exe
    Filesize

    133KB

    MD5

    f7e6c5413e94bda2ba0d072c0f94e534

    SHA1

    1f15d52d167797f5ad10d3be6cbb47dac8aef84d

    SHA256

    722eb9345ddf470068954a500544e69e849a789d629c2fe8bcdc4d773f66cec8

    SHA512

    c51f289ea5faf527e1e0884fc31df4130b487728fdafdd5523207091d0c0f3655ad8a697410a4c901a48adb4e3e815ddf466b3447864017376a84034f5178862

    Download Submit

  • memory/1596-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4984-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4984-136-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4984-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4984-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download