Overview

overview

10

Static

static

7e7fb38942...cb.exe

windows7_x64

10

7e7fb38942...cb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe

  • Size

    179KB

  • MD5

    f5f2de5391dc5dc8d55697ecc2d85e0a

  • SHA1

    fedf81c45aeb814ed5afb667f95168bdb39e1c7c

  • SHA256

    7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb

  • SHA512

    cf79d23f06f4954304545fe1b246892ed9140622a314b0e2d5a8c2f757758f5b45fbfa7b931377e6687c454e979daf96606c86d69061f050fb1b501a02473176

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe
    "C:\Users\Admin\AppData\Local\Temp\7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Users\Admin\AppData\Local\Temp\cjrxh.exe
      C:\Users\Admin\AppData\Local\Temp\cjrxh.exe C:\Users\Admin\AppData\Local\Temp\anvey
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\cjrxh.exe
        C:\Users\Admin\AppData\Local\Temp\cjrxh.exe C:\Users\Admin\AppData\Local\Temp\anvey
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\anvey
    Filesize

    5KB

    MD5

    133ed6f23bdac212a1bec546aa53b6dc

    SHA1

    e6ac58ee29e1650b48943d61623c4146e4c1fe49

    SHA256

    e224825b26d66388b0b1ee2592717cb1549fd2a88f3967f58b932a9f5d36558c

    SHA512

    57dd47a235adc703ee64c1c02691a0135a548ec09e6c5831992c831915f73c0a1c9e36acdb5bf13a2514ef0ef97852ce8a9e4a8259c08b2563994775473f3e49

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bnnec62izagyctmqpowe
    Filesize

    103KB

    MD5

    f05c04997d2922d0821dc8efd0dc7eb0

    SHA1

    6effdf087e6458174fa143b5915d083f50f8c916

    SHA256

    cbfe5c2d152db0ba90245d1417d4fbb3f10813260fa488118731957c0566bda5

    SHA512

    cd4ea71d98b720eb8268261d3f183f520d2c164574f010df131d7f4cf86b2efc359f8999b0db31ddc4c9fe6f4410f3fd0d7e554af75d0b5b9842e87bdc65847f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cjrxh.exe
    Filesize

    74KB

    MD5

    6028bbcfc209066311a93a95ca597978

    SHA1

    67583a3b36ed1db78c52574f84fef8e74ea798fc

    SHA256

    ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5

    SHA512

    ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cjrxh.exe
    Filesize

    74KB

    MD5

    6028bbcfc209066311a93a95ca597978

    SHA1

    67583a3b36ed1db78c52574f84fef8e74ea798fc

    SHA256

    ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5

    SHA512

    ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cjrxh.exe
    Filesize

    74KB

    MD5

    6028bbcfc209066311a93a95ca597978

    SHA1

    67583a3b36ed1db78c52574f84fef8e74ea798fc

    SHA256

    ca4a0acedcd58f9c639dd3f3b238f56b6e8ca0f78e8f0bf67814ca26cf8543a5

    SHA512

    ffdbc53991b227b408a820edaf493941c71ecc47c5cd1b02d30650383160131f3a070897debc1bacbdb6f33aa586f72351028aad576f411c90cf1bc592e032bc

    Download Submit
  • memory/2316-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2316-136-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2316-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2316-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/3616-130-0x0000000000000000-mapping.dmp
    Download