Overview

overview

10

Static

static

8829d775e9...91.exe

windows7_x64

10

8829d775e9...91.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe

  • Size

    136KB

  • MD5

    aa6422a82c0bf522ed68ecbedf0755c4

  • SHA1

    1a171a4ebf38accf629b1ca55a8c993852b529d7

  • SHA256

    8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091

  • SHA512

    f8509eccff21572040debf6b77e90c9e4e38a09fc205f1cc75f9d63a84f7a453019f52d31d68383679dacd3047ce13cc6657849b444a5acff3cf4e053817990e

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe
    "C:\Users\Admin\AppData\Local\Temp\8829d775e9c9bdf19ce4254b7d7e50121274ed3d42b5778fc9ca2536b53bd091.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
      C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe C:\Users\Admin\AppData\Local\Temp\urhlr
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
        C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe C:\Users\Admin\AppData\Local\Temp\urhlr
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9b35htay6k
    Filesize

    103KB

    MD5

    f4db5efeffb5e64ecbe010f403ee471a

    SHA1

    9c43f72ddea1bfd262a68ebee52e6faedbaeb403

    SHA256

    b0f5a8d1784e768cb5831b6e8c977a16041dccd627c6b086333589c8774d944e

    SHA512

    d8348c05a0a6df8daa4ecad3acb586dc53abfb020e5dfd75158cffeff46f193ec3c8eeff27efe02ae6c511c54c1403a54f4c2308df9593ad30d5e4bfa03e531b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\urhlr
    Filesize

    5KB

    MD5

    e605faa1490451ad52f739646e6931e9

    SHA1

    505a2ef29744e49849426352e5e6d8da38fac250

    SHA256

    4beac0b8772ee4b61115cfdbc56035e7899a9c64ab602c1b9bd8e89d2111fb3c

    SHA512

    d085fe50e371fac4ec28d0121b4e49b99add6ff31a63a09bfaf032833abba8f8570b41290fb0fced43530384f447c271a5488cc60546c34420f02cd8e24bfc8c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ifrlmlvu.exe
    Filesize

    4KB

    MD5

    0a197dbd6a4504eab7459c0a16802521

    SHA1

    de157adc02efe3e7b40e4781edafd1d4d1c57a1f

    SHA256

    aa05609c14039954ff6314278b456c55916eb0ad2cb5f887eff6e43114d1c5bf

    SHA512

    1ae7c666b1a68af338c8ad6724f0e764cd2e26eabc6e1e0160886661d771722cf39f576052a000d205100569e4bc2746f80a58f008216dbc5505acd825f2ce61

    Download Submit
  • memory/644-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1732-64-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1732-65-0x00000000004139DE-mapping.dmp
    Download
  • memory/1732-68-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1732-70-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download