Analysis
-
max time kernel
181s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
Resource
win7-20220414-en
General
-
Target
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
-
Size
178KB
-
MD5
c85a753c46e005748eb59d6d062d596c
-
SHA1
396d1f6cbcf4e06965f270b7d5aa67ce784cec6b
-
SHA256
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076
-
SHA512
a56eceb55e81e1d83bc3ea11db2889cb1c0c4d907d1d232cfdaecbf9a1ddfa927b70702e32064471841379291eb3e825f22ae5a3dad72ead3aaa763fb48d4980
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
bqxnvpn.exebqxnvpn.exepid process 3964 bqxnvpn.exe 2244 bqxnvpn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bqxnvpn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bqxnvpn.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bqxnvpn.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook bqxnvpn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bqxnvpn.exedescription pid process target process PID 3964 set thread context of 2244 3964 bqxnvpn.exe bqxnvpn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bqxnvpn.exedescription pid process Token: SeDebugPrivilege 2244 bqxnvpn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exebqxnvpn.exedescription pid process target process PID 3340 wrote to memory of 3964 3340 ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe bqxnvpn.exe PID 3340 wrote to memory of 3964 3340 ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe bqxnvpn.exe PID 3340 wrote to memory of 3964 3340 ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe PID 3964 wrote to memory of 2244 3964 bqxnvpn.exe bqxnvpn.exe -
outlook_office_path 1 IoCs
Processes:
bqxnvpn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bqxnvpn.exe -
outlook_win_path 1 IoCs
Processes:
bqxnvpn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bqxnvpn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe"C:\Users\Admin\AppData\Local\Temp\ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exeC:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe C:\Users\Admin\AppData\Local\Temp\xuuzonszwq2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exeC:\Users\Admin\AppData\Local\Temp\bqxnvpn.exe C:\Users\Admin\AppData\Local\Temp\xuuzonszwq3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5yanui8wijlofiymi3Filesize
103KB
MD547b52a13bab5abc68f0759b85875eeba
SHA1e3958b54cbf4b7fe049868f515091e0ed0c72924
SHA2565efb500696a9b4fc8380e9787238a383d3b089726b93217a654de19c8c97b90f
SHA5122d275b88eba6a96d6825b1e0bbf7bdc6f6911e3c6114c47d26e3469bd35275ce742efba3c2286792711ca069ac08a0425442ced46333aee5b79ffccb386cd414
-
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exeFilesize
74KB
MD5fbb50a4dde4b69f38e9f2d1479c9071f
SHA11dbbf994ed9df12c3954ad4f34567d38ed070e7a
SHA256479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41
SHA512b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca
-
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exeFilesize
74KB
MD5fbb50a4dde4b69f38e9f2d1479c9071f
SHA11dbbf994ed9df12c3954ad4f34567d38ed070e7a
SHA256479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41
SHA512b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca
-
C:\Users\Admin\AppData\Local\Temp\bqxnvpn.exeFilesize
74KB
MD5fbb50a4dde4b69f38e9f2d1479c9071f
SHA11dbbf994ed9df12c3954ad4f34567d38ed070e7a
SHA256479830f50971563799312fb2eec4c2f998339c215c18720d0bae647bd7d20b41
SHA512b9d73bc203dc5c86c3760cbb1b68c04dff80aa9a3f449a8d52e936c5f500eddf707658d84160e43f5047aaa6339b6ac379791844374e51838297eb5f029431ca
-
C:\Users\Admin\AppData\Local\Temp\xuuzonszwqFilesize
5KB
MD5b796f086df06d86d89004e4a327cf64c
SHA12d3ba67b340f12e7580760f49257cca12e7525c4
SHA256b80bdb41ee3979fa3c00a7ada454fe9d401405323231e37571173203e52f2675
SHA51244d5e199f4d19c2b900cedbdc9411e6e58492abf638c3967c88b054ad4d6b897187a65af1540df0d6040e1b977787005030bdbc1ba590cca4d0e7fed0489bf29
-
memory/2244-135-0x0000000000000000-mapping.dmp
-
memory/2244-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2244-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2244-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3964-130-0x0000000000000000-mapping.dmp