Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
Resource
win7-20220414-en
General
-
Target
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe
-
Size
177KB
-
MD5
39fb96cbed18cbc33856518a6ea2311a
-
SHA1
94e683d0d8456adc960c735f5bc9d45970350c1e
-
SHA256
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950
-
SHA512
65e45cabbdff8b57324276ac121524e4de1880cf6fb45d8dc29c2cfbfeaede87c84213208671f375800233d9fb79148fdff6a65c1fda56f5da0e98ff2a14a009
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
nazbeb.exenazbeb.exepid process 3188 nazbeb.exe 4416 nazbeb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
nazbeb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook nazbeb.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook nazbeb.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook nazbeb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nazbeb.exedescription pid process target process PID 3188 set thread context of 4416 3188 nazbeb.exe nazbeb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nazbeb.exedescription pid process Token: SeDebugPrivilege 4416 nazbeb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exenazbeb.exedescription pid process target process PID 3220 wrote to memory of 3188 3220 8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe nazbeb.exe PID 3220 wrote to memory of 3188 3220 8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe nazbeb.exe PID 3220 wrote to memory of 3188 3220 8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe PID 3188 wrote to memory of 4416 3188 nazbeb.exe nazbeb.exe -
outlook_office_path 1 IoCs
Processes:
nazbeb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook nazbeb.exe -
outlook_win_path 1 IoCs
Processes:
nazbeb.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook nazbeb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe"C:\Users\Admin\AppData\Local\Temp\8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\nazbeb.exeC:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\nazbeb.exeC:\Users\Admin\AppData\Local\Temp\nazbeb.exe C:\Users\Admin\AppData\Local\Temp\jyioadmvle3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4416
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD5c590478e77c9e019771b181b13362629
SHA11fd2f2fafe2c95b75e422d869ee49e0fc9f19e5f
SHA256709531c7ef6151725bc0e68d2b50bb87cc5f85243adab511fc630d493541ec4b
SHA512fd0fde6af028c0f40b17e488c9cfd7beaeebadd082a22c5a5a39ea229d2a27d03c7fb4bf3efd7c3fda2cd17184d15a17e76e97f3480e30ba84750516d30e5fbc
-
Filesize
4KB
MD51108a516c107c60ccf1430555efbad88
SHA10234f6a73f558d6e472d996ced13f9536cb6f369
SHA25649a11ac8bbc855a3e73e62941328d38cc9047ef3eddb018d06609f1d48c0e0a8
SHA51224315f41f1a124bcaee04c0cda5406c142a65ab3fcb589a23551deb7df3b3f1a5bce2b04a949733bbe0ceefb3f4d60b04d8c25cd350abf28ddf0c51279e29597
-
Filesize
73KB
MD50d1ab370889916ecbf81e1526953f688
SHA114d9e3cfd545a862782586b81bfa2f2b1ee4dd19
SHA2561cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f
SHA512259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37
-
Filesize
73KB
MD50d1ab370889916ecbf81e1526953f688
SHA114d9e3cfd545a862782586b81bfa2f2b1ee4dd19
SHA2561cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f
SHA512259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37
-
Filesize
73KB
MD50d1ab370889916ecbf81e1526953f688
SHA114d9e3cfd545a862782586b81bfa2f2b1ee4dd19
SHA2561cb95297abb46d5a8dbdf17f18f19e3533b52abbc48cc8492413b35e1a1b5e6f
SHA512259650519bd06dfad4ae364893c9cc375e20e5606d61bc05a1a9e72d432b2a024401ef0f6f78038ec1cdc3fd2b661efbd68e168d6e4eef02d2da646b33c33e37