Analysis
-
max time kernel
166s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:45
General
-
Target
new order.exe
-
Size
304KB
-
MD5
7c3af2b1640815d44ef42a11ffb3eb28
-
SHA1
059a0423d8f45c9ec833791071b6ab84dfa21ba9
-
SHA256
087836474ec9c75d0ebf6c9d36c805d0bf70bf2cc63985fb68d87797b1e923fa
-
SHA512
6c97323f45c50ff07d160eb16f0a9d558b73960413d5bd1377092711910d7f76a1e0ad8b3153044e1671e6a250e7d73d83fe3124752810be734cead7bc592b26
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://shehig.com/kingoo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/320-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-70-0x00000000004139DE-mapping.dmp
-
memory/320-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/320-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/964-57-0x00000000007F0000-0x000000000081A000-memory.dmpFilesize
168KB
-
memory/964-60-0x0000000000B20000-0x0000000000B28000-memory.dmpFilesize
32KB
-
memory/964-59-0x0000000000760000-0x0000000000776000-memory.dmpFilesize
88KB
-
memory/964-58-0x0000000000390000-0x00000000003A6000-memory.dmpFilesize
88KB
-
memory/964-54-0x0000000000930000-0x0000000000982000-memory.dmpFilesize
328KB
-
memory/964-56-0x0000000000320000-0x0000000000328000-memory.dmpFilesize
32KB
-
memory/964-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB