Analysis
-
max time kernel
100s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.exe
Resource
win7-20220414-en
General
-
Target
Request For Quotation.exe
-
Size
666KB
-
MD5
d903149bfb01a43a2afafddcbb9f2ff5
-
SHA1
37b4111dc0f14a7e156c1bfa0c57be2f8c62f540
-
SHA256
1c6998eb17cf21837fa8153add76ce113846aa94e96d089687fce38c25bbd31f
-
SHA512
059db520c92103fbf43c5fa66bc104f559541e9119d3dcc83825966d72127bb93ef936d6db6869fda4c1c3b8bb35ef556302bb523fb1cb9b376867844b4b891b
Malware Config
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Request For Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request For Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Request For Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request For Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request For Quotation.exedescription pid process target process PID 2992 set thread context of 3428 2992 Request For Quotation.exe Request For Quotation.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Request For Quotation.exepid process 2992 Request For Quotation.exe 2992 Request For Quotation.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Request For Quotation.exepid process 2992 Request For Quotation.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Request For Quotation.exepid process 3428 Request For Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request For Quotation.exedescription pid process Token: SeDebugPrivilege 3428 Request For Quotation.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Request For Quotation.exedescription pid process target process PID 2992 wrote to memory of 3428 2992 Request For Quotation.exe Request For Quotation.exe PID 2992 wrote to memory of 3428 2992 Request For Quotation.exe Request For Quotation.exe PID 2992 wrote to memory of 3428 2992 Request For Quotation.exe Request For Quotation.exe -
outlook_office_path 1 IoCs
Processes:
Request For Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Request For Quotation.exe -
outlook_win_path 1 IoCs
Processes:
Request For Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Request For Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3428