Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe
Resource
win7-20220414-en
General
-
Target
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe
-
Size
263KB
-
MD5
7d864335708caf3622fa3899c12032b4
-
SHA1
838e863a6964d75b256364cbedf3f5ff7e657c1f
-
SHA256
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218
-
SHA512
8d3a6824a8e79b373c09a11c75afde1d850b577e25f4d7a29fdcc1807c588f4313660ad278e3f24aef3ee0de4de90529feed3aef8bdca9e0c0885703dc84ec9a
Malware Config
Extracted
lokibot
http://sempersim.su/gf10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exepid process 3180 b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exedescription pid process Token: SeDebugPrivilege 3180 b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe -
outlook_office_path 1 IoCs
Processes:
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe -
outlook_win_path 1 IoCs
Processes:
b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe"C:\Users\Admin\AppData\Local\Temp\b2c69402bbdd2f0b4cb424472de38ec42f1bebf837f86a71b0e2c82ffe511218.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path