Analysis
-
max time kernel
139s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
#00992-20.exe
Resource
win7-20220414-en
General
-
Target
#00992-20.exe
-
Size
580KB
-
MD5
3479b7645c4dd97b1e7b1f03e0fec29b
-
SHA1
dcb9449935ed0de0c3176278e595391145c51353
-
SHA256
9351842c8f05b32a19dd22011391431072e855e069c6a7c9fdd73cbd6d1bbc0c
-
SHA512
8809a821d68ef1bb09e37de93a182742283618f0bcbf8483fd287af38701480b079876f5d4a79de13d2804d6678c80682344ba48db75c428f2bba61c17be53b7
Malware Config
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
#00992-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook #00992-20.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook #00992-20.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook #00992-20.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
#00992-20.exedescription pid process target process PID 756 set thread context of 1792 756 #00992-20.exe #00992-20.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
#00992-20.exepid process 756 #00992-20.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
#00992-20.exepid process 756 #00992-20.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
#00992-20.exepid process 1792 #00992-20.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
#00992-20.exedescription pid process Token: SeDebugPrivilege 1792 #00992-20.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
#00992-20.exedescription pid process target process PID 756 wrote to memory of 1792 756 #00992-20.exe #00992-20.exe PID 756 wrote to memory of 1792 756 #00992-20.exe #00992-20.exe PID 756 wrote to memory of 1792 756 #00992-20.exe #00992-20.exe PID 756 wrote to memory of 1792 756 #00992-20.exe #00992-20.exe -
outlook_office_path 1 IoCs
Processes:
#00992-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook #00992-20.exe -
outlook_win_path 1 IoCs
Processes:
#00992-20.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook #00992-20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#00992-20.exe"C:\Users\Admin\AppData\Local\Temp\#00992-20.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\#00992-20.exe"C:\Users\Admin\AppData\Local\Temp\#00992-20.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1792