Overview

overview

10

Static

static

8116cbb4df...50.exe

windows7_x64

10

8116cbb4df...50.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe

  • Size

    177KB

  • MD5

    39fb96cbed18cbc33856518a6ea2311a

  • SHA1

    94e683d0d8456adc960c735f5bc9d45970350c1e

  • SHA256

    8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950

  • SHA512

    65e45cabbdff8b57324276ac121524e4de1880cf6fb45d8dc29c2cfbfeaede87c84213208671f375800233d9fb79148fdff6a65c1fda56f5da0e98ff2a14a009

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://62.197.136.176/liyan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
    "C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
      C:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
        C:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11itn4vgjwi7rbw698y9
    Filesize

    103KB

    MD5

    c590478e77c9e019771b181b13362629

    SHA1

    1fd2f2fafe2c95b75e422d869ee49e0fc9f19e5f

    SHA256

    709531c7ef6151725bc0e68d2b50bb87cc5f85243adab511fc630d493541ec4b

    SHA512

    fd0fde6af028c0f40b17e488c9cfd7beaeebadd082a22c5a5a39ea229d2a27d03c7fb4bf3efd7c3fda2cd17184d15a17e76e97f3480e30ba84750516d30e5fbc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\jyioadmvle
    Filesize

    4KB

    MD5

    1108a516c107c60ccf1430555efbad88

    SHA1

    0234f6a73f558d6e472d996ced13f9536cb6f369

    SHA256

    49a11ac8bbc855a3e73e62941328d38cc9047ef3eddb018d06609f1d48c0e0a8

    SHA512

    24315f41f1a124bcaee04c0cda5406c142a65ab3fcb589a23551deb7df3b3f1a5bce2b04a949733bbe0ceefb3f4d60b04d8c25cd350abf28ddf0c51279e29597

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
    Filesize

    73KB

    MD5

    0d1ab370889916ecbf81e1526953f688

    SHA1

    14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

    SHA256

    1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

    SHA512

    259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
    Filesize

    73KB

    MD5

    0d1ab370889916ecbf81e1526953f688

    SHA1

    14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

    SHA256

    1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

    SHA512

    259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nazbeb.exe
    Filesize

    73KB

    MD5

    0d1ab370889916ecbf81e1526953f688

    SHA1

    14d9e3cfd545a862782586b81bfa2f2b1ee4dd19

    SHA256

    1cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f

    SHA512

    259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37

    Download Submit
  • memory/3188-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4416-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4416-136-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/4416-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/4416-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download