Analysis
-
max time kernel
124s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe
Resource
win7-20220414-en
General
-
Target
a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe
-
Size
178KB
-
MD5
2c24fa42140a8a16f3777173a2d3f0ab
-
SHA1
a11c097a2317d636ee095ccb94ee9d6c96934eda
-
SHA256
a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935
-
SHA512
267151d9b75fd3976f55a2119c4218960d89e351afea397eb34877ae1ff9d5c3fb1d094875b695b6ce509b59acf619a18e2a3a97673fd5a15b520635e211494c
Malware Config
Extracted
lokibot
http://sempersim.su/gf17/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
eqwqaboyko.exeeqwqaboyko.exepid process 680 eqwqaboyko.exe 3920 eqwqaboyko.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
eqwqaboyko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook eqwqaboyko.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook eqwqaboyko.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook eqwqaboyko.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eqwqaboyko.exedescription pid process target process PID 680 set thread context of 3920 680 eqwqaboyko.exe eqwqaboyko.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
eqwqaboyko.exedescription pid process Token: SeDebugPrivilege 3920 eqwqaboyko.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exeeqwqaboyko.exedescription pid process target process PID 1692 wrote to memory of 680 1692 a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe eqwqaboyko.exe PID 1692 wrote to memory of 680 1692 a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe eqwqaboyko.exe PID 1692 wrote to memory of 680 1692 a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe PID 680 wrote to memory of 3920 680 eqwqaboyko.exe eqwqaboyko.exe -
outlook_office_path 1 IoCs
Processes:
eqwqaboyko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook eqwqaboyko.exe -
outlook_win_path 1 IoCs
Processes:
eqwqaboyko.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook eqwqaboyko.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe"C:\Users\Admin\AppData\Local\Temp\a9ffbe69538bcd014f6c7b1606c3df5781d369cf4386240ab1a788e9a2f99935.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exeC:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe C:\Users\Admin\AppData\Local\Temp\ivwgcigp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exeC:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exe C:\Users\Admin\AppData\Local\Temp\ivwgcigp3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exeFilesize
73KB
MD5c6e95b9264ecd68e1f8d379527b2dd15
SHA1c6cab9a8e155a2290648238dc012ee045c551ec0
SHA2568d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47
SHA512631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123
-
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exeFilesize
73KB
MD5c6e95b9264ecd68e1f8d379527b2dd15
SHA1c6cab9a8e155a2290648238dc012ee045c551ec0
SHA2568d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47
SHA512631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123
-
C:\Users\Admin\AppData\Local\Temp\eqwqaboyko.exeFilesize
73KB
MD5c6e95b9264ecd68e1f8d379527b2dd15
SHA1c6cab9a8e155a2290648238dc012ee045c551ec0
SHA2568d2995105f833bc5472bc5eb4bd1d46cf6e1c531036806a521804db749b2cd47
SHA512631fc25a84db6c43434cb3de88110fb9296989bbca8a5ee0209a407548246ccc17b2d9cb830f59bc7beeec7ff27c30bbff08c9bd65959281f8798996f07ae123
-
C:\Users\Admin\AppData\Local\Temp\eyn8t27d3l8nFilesize
103KB
MD523f15d7c39493ef1ff974603008f4620
SHA197e0eabd827724084dcb2dcc04b1212439da899e
SHA2568a4d2d9d0efcfe8ac06942e6c314c3be4951e63602b374a0b9cca5b9a48ddebc
SHA512982f18f894ace376e41cd5f978357869f293d226eef5b71fbadaa48f7ae89fa353627d648a00f5292b08088d7ab86cffd6fc0b58adc23509ae91e74bbd001d29
-
C:\Users\Admin\AppData\Local\Temp\ivwgcigpFilesize
4KB
MD537fdb3c3ec3b846ccd7be9588ce96d28
SHA135fbc15b62c4c4c7ff3254072aa2f0fd5d38d0f3
SHA2561bfeba5d98d816b4f41599c227829cd2b845b049794575f4b38cab8a23aa9ed1
SHA512c19c3f6047ced5b1c87f98013f16d318644b54f803405a0cd2da36127197b74ca79690c2c7a3b24ed43ababd88964e4dcc5f0c41e33101c982fbf6ff6df578bc
-
memory/680-130-0x0000000000000000-mapping.dmp
-
memory/3920-135-0x0000000000000000-mapping.dmp
-
memory/3920-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3920-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3920-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB