Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:33
Static task
static1
Behavioral task
behavioral1
Sample
rar.exe
Resource
win7-20220414-en
General
-
Target
rar.exe
-
Size
838KB
-
MD5
30c26f973e864ae0bb81942137176acb
-
SHA1
ab42932e9e8bb05250369966bd2af44223db82a1
-
SHA256
51c81d6e49ad27baa52a1d1047fe0a5c61c209d39110b81ab07cd2aa30a221ab
-
SHA512
0ff5f5c3af3a8cd4b37fce61e2230e5889cbe42d956ab1c9b2273eb268aa1951f192ef342ff5d218cb5ebe2103d7fa88aba5d74d12a2c4eeaab8a7d9e7fbb98c
Malware Config
Extracted
lokibot
http://rarlab.gq/comic/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/364-65-0x0000000003770000-0x00000000037BE000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Ardcuwo.exepid process 364 Ardcuwo.exe -
Loads dropped DLL 4 IoCs
Processes:
rar.exepid process 1588 rar.exe 1588 rar.exe 1588 rar.exe 1588 rar.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ieinstal.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ieinstal.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ardcuwo.exedescription pid process target process PID 364 set thread context of 1172 364 Ardcuwo.exe ieinstal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ieinstal.exedescription pid process Token: SeDebugPrivilege 1172 ieinstal.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rar.exeArdcuwo.exedescription pid process target process PID 1588 wrote to memory of 364 1588 rar.exe Ardcuwo.exe PID 1588 wrote to memory of 364 1588 rar.exe Ardcuwo.exe PID 1588 wrote to memory of 364 1588 rar.exe Ardcuwo.exe PID 1588 wrote to memory of 364 1588 rar.exe Ardcuwo.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe PID 364 wrote to memory of 1172 364 Ardcuwo.exe ieinstal.exe -
outlook_office_path 1 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ieinstal.exe -
outlook_win_path 1 IoCs
Processes:
ieinstal.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rar.exe"C:\Users\Admin\AppData\Local\Temp\rar.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exe"C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ArdcFilesize
596KB
MD5ca8ea856ca273189758f8fa5bbb0db5c
SHA1174847d0c512a41380a29cff0b07caad40caa280
SHA2567bffae8eeeb0d85a5135a59b73fbe8729f8b1fdad632f7ca29938aea11a50326
SHA512cecf8d9e4cc643c4c7443a97479a9dde259d60e018ed3545ea0ab1c55d6cf817ece5722b4dd321aea759bc9d4b0cae504932e8e567346ccbc1373c3ace539553
-
C:\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
\Users\Admin\AppData\Local\Temp\Ardcuwo.exeFilesize
636KB
MD58f399686fd75b6ebfae5e6913bc1876c
SHA1ead367a47586d66374bb3060358d9976db6da7af
SHA2566ee84d641a5bc29af14827bfed8348547a6e8095d27511d5884d4f5549432402
SHA5128f6800ea54d3cfa9c294db4981c6e2170bfde23000544bd9b50eed69999ac2cbc8aeeb01ad9859deaa00216fe4b2019e0e3bf1e1d7b458f48d3f666e7a6391b9
-
memory/364-59-0x0000000000000000-mapping.dmp
-
memory/364-65-0x0000000003770000-0x00000000037BE000-memory.dmpFilesize
312KB
-
memory/1172-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1172-68-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1172-69-0x00000000004139DE-mapping.dmp
-
memory/1172-71-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1172-73-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1588-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB