Overview

overview

10

Static

static

e06081aedc...c2.exe

windows7_x64

10

e06081aedc...c2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe

  • Size

    178KB

  • MD5

    76f60d8b7e3ff84e6f804f5bda945117

  • SHA1

    9b80a0b687c3d6af052df852a0036126c18b7cf6

  • SHA256

    e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2

  • SHA512

    ae533d9eefcce95fcc975b1ff4b512a25e34bc5eab9cd25af27f72985f6ad1e58bc5c768c210055d3016384274528620bc6f7fec18dde3497bd2d03957752e68

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/tmglobal/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe
    "C:\Users\Admin\AppData\Local\Temp\e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\zfmoan.exe
      C:\Users\Admin\AppData\Local\Temp\zfmoan.exe C:\Users\Admin\AppData\Local\Temp\ghqeea
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\zfmoan.exe
        C:\Users\Admin\AppData\Local\Temp\zfmoan.exe C:\Users\Admin\AppData\Local\Temp\ghqeea
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ghqeea
    Filesize

    4KB

    MD5

    b72a9336e771fd84c480c846b7af6fc8

    SHA1

    e67895e07c4d8ddaecc1cd42372e2026b900a868

    SHA256

    e9d7108976e7bbc6b5c731272ff8795bfae064efc8ef8fdd800535b5eccc1cb3

    SHA512

    110d53921e403e0998345e3935a5249b1b619df1285af9e6539fe5e75bb6363abcb8f553783f39fd03255393ed65e5204e21c85aca8847d4b6fd986476d27901

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oesv2nejinzevak23
    Filesize

    103KB

    MD5

    80affb727e6e3ac9d8abbe592f7cc9ab

    SHA1

    2f4227fb343e3f95588d51eafa516bd07f99535e

    SHA256

    7556546fa0ee5dcc08f2a3d2a4b03ca5254b980238864d24a539e5fcff85625f

    SHA512

    0a07374ba2865a00b50847b793b70d4e372badc8ec131ce52b370e8d220f0d05038371b388f0ddfea5f48f18d35ac559f3fd9f01e1551f76358c56eb0f4716c5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zfmoan.exe
    Filesize

    74KB

    MD5

    cb1e80bb38043f9e0bb9b6eee3370553

    SHA1

    110cd055ab3cf6d373acc023fc0ab01c66bc587c

    SHA256

    bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c

    SHA512

    dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zfmoan.exe
    Filesize

    74KB

    MD5

    cb1e80bb38043f9e0bb9b6eee3370553

    SHA1

    110cd055ab3cf6d373acc023fc0ab01c66bc587c

    SHA256

    bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c

    SHA512

    dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zfmoan.exe
    Filesize

    74KB

    MD5

    cb1e80bb38043f9e0bb9b6eee3370553

    SHA1

    110cd055ab3cf6d373acc023fc0ab01c66bc587c

    SHA256

    bce99e85ef7e3723d4da6e12671d9024f5ca07e441255f9ae1761f79a023790c

    SHA512

    dd33a59a762dc69579384cd7b4d69233d9f97a62fbcb1e61a33aab53399791891f6753477a0eb5daae0701b7658e01a6b03ab978df6c4c7514413690dbadb108

    Download Submit
  • memory/1432-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1432-136-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1432-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1432-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1656-130-0x0000000000000000-mapping.dmp
    Download