Analysis
-
max time kernel
127s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
4D0E45FH.exe
Resource
win7-20220414-en
General
-
Target
4D0E45FH.exe
-
Size
588KB
-
MD5
e288141c2eed1f677279609e2472427f
-
SHA1
0650d84aedca704e4e4f9276ef150f47d43e23e6
-
SHA256
e95407fb0f4c97f4f1de70d796c4086b45b9019a261a1093d936008a65e1011f
-
SHA512
1710ff97dcd0bb830a381f055c1ba617b57b1d29a31d117191dc133176505287d8651d1317f53749ba7321d3d0f8a1e388e8cf1fa74a4dd6ae09a084a8f5b03b
Malware Config
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
4D0E45FH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4D0E45FH.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 4D0E45FH.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 4D0E45FH.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4D0E45FH.exedescription pid process target process PID 4060 set thread context of 4620 4060 4D0E45FH.exe 4D0E45FH.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4D0E45FH.exepid process 4060 4D0E45FH.exe 4060 4D0E45FH.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4D0E45FH.exepid process 4060 4D0E45FH.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
4D0E45FH.exepid process 4620 4D0E45FH.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4D0E45FH.exedescription pid process Token: SeDebugPrivilege 4620 4D0E45FH.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4D0E45FH.exedescription pid process target process PID 4060 wrote to memory of 4620 4060 4D0E45FH.exe 4D0E45FH.exe PID 4060 wrote to memory of 4620 4060 4D0E45FH.exe 4D0E45FH.exe PID 4060 wrote to memory of 4620 4060 4D0E45FH.exe 4D0E45FH.exe -
outlook_office_path 1 IoCs
Processes:
4D0E45FH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 4D0E45FH.exe -
outlook_win_path 1 IoCs
Processes:
4D0E45FH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 4D0E45FH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4D0E45FH.exe"C:\Users\Admin\AppData\Local\Temp\4D0E45FH.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\4D0E45FH.exe"C:\Users\Admin\AppData\Local\Temp\4D0E45FH.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4620