Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:54
General
-
Target
PO_121220002941.exe
-
Size
730KB
-
MD5
09cb80f28d47e2082702f4f8f89fe289
-
SHA1
779ea37a1cd013ef3b9c15a431ae411b2095fd36
-
SHA256
5be0aff5e9bf958f99789e62dd5bdf3b63cfe0e57fcbd1c7144d9a5e71f530f7
-
SHA512
7c13a8fc770b960df94d0d4c574e19539ca12de56fa2766500c2b90c05b8e4cd31c7e60ebd7d5a9e19acc41eee4eaf729ef91bf7a4839d31a5a627314d6f0c8d
Score
10/10
Malware Config
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"C:\Users\Admin\AppData\Local\Temp\PO_121220002941.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/916-55-0x00000000004139DE-mapping.dmp
-
memory/1048-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1048-56-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB