Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:53
General
-
Target
tmp.exe
-
Size
876KB
-
MD5
7172f955f38508eac9bc65f647ed627d
-
SHA1
3533afbac7e63993653c81a899a08cdb499ba244
-
SHA256
ab083463bed04a6a3f8848967a59917e86ea70db776a1b5b3e9a7ca8638ae0a7
-
SHA512
be51c5c886d6d6df71f1b8bf8a348d330b89a1c5e78d89bfb64037365ddedc2fff310ff8867208d8f81b6e87678c1034a7bc4d0604215707f60e75d36e214c0f
Malware Config
Extracted
lokibot
http://sempersim.su/gf18/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3580-130-0x0000000000160000-0x0000000000240000-memory.dmpFilesize
896KB
-
memory/3580-131-0x00000000052A0000-0x0000000005844000-memory.dmpFilesize
5.6MB
-
memory/3580-132-0x0000000004C10000-0x0000000004CA2000-memory.dmpFilesize
584KB
-
memory/3580-133-0x0000000004BF0000-0x0000000004BFA000-memory.dmpFilesize
40KB
-
memory/3580-134-0x00000000009B0000-0x0000000000A4C000-memory.dmpFilesize
624KB
-
memory/3580-135-0x0000000000C50000-0x0000000000CB6000-memory.dmpFilesize
408KB
-
memory/3860-136-0x0000000000000000-mapping.dmp
-
memory/3860-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3860-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3860-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB