Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe
Resource
win7-20220414-en
General
-
Target
325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe
-
Size
557KB
-
MD5
8133ee977a0f5e8649fdf16976ff84fc
-
SHA1
b97f14c79e56b206f94dfdda6525ce8ddf7ef6b3
-
SHA256
325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455
-
SHA512
1571ef43e27d052d0cf8201e3adcb017320739d2783ae5f376381ef8143dc979f4041da8961b31d029f0d5d283b1344c4b3d1cbbbde8ed486f7575d450a87297
Malware Config
Extracted
lokibot
http://sempersim.su/gg1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
frhdgr.exefrhdgr.exepid process 956 frhdgr.exe 1236 frhdgr.exe -
Loads dropped DLL 3 IoCs
Processes:
325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exefrhdgr.exepid process 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe 956 frhdgr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
frhdgr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook frhdgr.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook frhdgr.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook frhdgr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
frhdgr.exedescription pid process target process PID 956 set thread context of 1236 956 frhdgr.exe frhdgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
frhdgr.exedescription pid process Token: SeDebugPrivilege 1236 frhdgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exefrhdgr.exedescription pid process target process PID 1352 wrote to memory of 956 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe frhdgr.exe PID 1352 wrote to memory of 956 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe frhdgr.exe PID 1352 wrote to memory of 956 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe frhdgr.exe PID 1352 wrote to memory of 956 1352 325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe PID 956 wrote to memory of 1236 956 frhdgr.exe frhdgr.exe -
outlook_office_path 1 IoCs
Processes:
frhdgr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook frhdgr.exe -
outlook_win_path 1 IoCs
Processes:
frhdgr.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook frhdgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe"C:\Users\Admin\AppData\Local\Temp\325b14d349cd69c5c00c417c4154fc0991a97a22210326c39c434ac05c111455.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\frhdgr.exeC:\Users\Admin\AppData\Local\Temp\frhdgr.exe C:\Users\Admin\AppData\Local\Temp\vxogkynyop2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\frhdgr.exeC:\Users\Admin\AppData\Local\Temp\frhdgr.exe C:\Users\Admin\AppData\Local\Temp\vxogkynyop3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
C:\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
C:\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
C:\Users\Admin\AppData\Local\Temp\vxogkynyopFilesize
4KB
MD56659fb8be5732ce641e6638f5b65e31e
SHA132fcae62efdb69306eb33fff8e9eb70c8148404f
SHA2565fc8130b26d39bd1c5c8084b49906fcce85f72919ed1c1a2568e6e57fd616bf5
SHA51232db63e42ecae207327f1415b5f18e70630a6757886eb70960538ec7742801db161767c2e7288c70eb1cb69f44ac7efd2e257248fc51f88dfa8a82340c457521
-
C:\Users\Admin\AppData\Local\Temp\wdxw2bfd6vcc5nFilesize
103KB
MD58c52266ec1b84addeb65fbfa794b790a
SHA1e0b8acc8d00dd6c4ac1cf2ffde0ff71072318083
SHA2567f2606a9a9f7e3797e3c8580612b81216079eb0a62ba3eea229e409302a59ef1
SHA5129e5d3513a236a25cebf76b44692009d140419f83a589e0b8e8a0a0f0665f44f90d12c4ada9fdb705374e09bbbf323736be4973a5b1e06df8dbbd76a089ea1da6
-
\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
\Users\Admin\AppData\Local\Temp\frhdgr.exeFilesize
4KB
MD5f550c77b60086cc12ee9d2d49e89e4d3
SHA18026ce75035a1d27f2d2b6705d3a7f1c4151f019
SHA2568a0154c741eac0ae67a5fd8b5ace266bb7d3f18eff4ded2fef019ca5730accbd
SHA51207e3f4a6518b5df0789362372f0cab1f518bb655b2caa842470e6bb24ea1067dff6d3c8ef39a52c8a3c375776394d07eeffa805ce0d81a7636bfd1e16d488f9b
-
memory/956-57-0x0000000000000000-mapping.dmp
-
memory/1236-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1236-65-0x00000000004139DE-mapping.dmp
-
memory/1236-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1236-70-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1352-54-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB