Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-05-2022 14:36

General

  • Target

    tmp.exe

  • Size

    178KB

  • MD5

    fefc2d8ef05916189407d8917c61ba13

  • SHA1

    92aa5269b897b91a220dbb70ac54c27807486fa4

  • SHA256

    9b7c9b230e6ebdb3a92ef55e153d76a3186555560cb26be387604f02b214050e

  • SHA512

    8fbdbf89952336775113e26a05c7752440737a95573a66c2273ed5b3b74f5851cd2bb6f41e54e0f5e778f4fa87a13a9fab1dc852f3c6aa8908715687df03651a

Malware Config

Extracted

Family

lokibot

C2

http://hyatqfuh9olahvxf.gq/BN3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

  • Executes dropped EXE ⋅ 2 IoCs
  • Loads dropped DLL ⋅ 3 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles ⋅ 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 14 IoCs
  • outlook_office_path ⋅ 1 IoCs
  • outlook_win_path ⋅ 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
      C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
        C:\Users\Admin\AppData\Local\Temp\owtepue.exe C:\Users\Admin\AppData\Local\Temp\duiuz
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        PID:1288

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\duiuz
                      MD5

                      fab39498d9d8ab6c001b8a5686df166e

                      SHA1

                      0662834f2105f0e0e5434c8edb687cb0af8f0160

                      SHA256

                      eb7a54c62d7de9d4676111930d34ef53ae1666721a9d6b0a5fbd2e3162342f04

                      SHA512

                      1b978527620e57cff441fecc637849a28a0760acbde357a3123ac463ac98590e92f2e80f4d51018f0eaf878800975e749035167072d8c9c02b21578377b709c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • C:\Users\Admin\AppData\Local\Temp\tmj21u6p99
                      MD5

                      f6866e98eac0add80603f5bb849702bd

                      SHA1

                      e4853989141797332545b38d372f891e8905cace

                      SHA256

                      c7f68003f9e161790a9268e8e5197967d7358d19e0abdaaa7f7158ca4bed5035

                      SHA512

                      0b076eddcf572586573906b59ad75742364e07d94cac40e96d78b24fe2095f41072e95d6d71bf7de2ef132fea4f6aa3c862d495fcee9a32950b8dd84acaec24f

                    • \Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • \Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • \Users\Admin\AppData\Local\Temp\owtepue.exe
                      MD5

                      8a9fb162d4f5be258225bb2e48b0b052

                      SHA1

                      c03d6731af8090439ed1445a10b00dd5df7b7794

                      SHA256

                      8582973a5f8940fbf5f5bd270566b2ed3bf50fd80fa5d441037b240f6914adb3

                      SHA512

                      cf80bf5ae20c95ab7c4e2240ac95910c5e397d10460f6f8be2fdf1a40127e7eb456f356a5b9dbedcf05bc89651e3d399349f8a747df64e429426371323ded5c6

                    • memory/1288-64-0x0000000000400000-0x00000000004A2000-memory.dmp
                    • memory/1288-65-0x00000000004139DE-mapping.dmp
                    • memory/1288-68-0x0000000000400000-0x00000000004A2000-memory.dmp
                    • memory/1288-70-0x0000000000400000-0x00000000004A2000-memory.dmp
                    • memory/1652-54-0x0000000076721000-0x0000000076723000-memory.dmp
                    • memory/1936-57-0x0000000000000000-mapping.dmp