General
Target

COVID-19 TRANSFER RECEIPT FORM_pdf.exe

Filesize

1MB

Completed

21-05-2022 18:38

Task

behavioral2

Score
10/10
MD5

1678a6372c11592d92876749482fd18e

SHA1

e7001067022152bc76445369c9c14f59e0097fdc

SHA256

2a3c60d816836bf1cecb31f34d4eaf5b93976c123364538d5b8e22e9272e1269

SHA512

fa2bc8977f0c929fd6baafaf863b809a38eb6704f05199ec6073cda40116ffc169c6ea33079cbd367f21084ad6a581dabd989e5f4163fa2f4648406c35fc778b

Malware Config

Extracted

Family

lokibot

C2

http://attlogistics-vn.com/first/chief2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures 9

Filter: none

Collection
  • Lokibot

    Description

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Accesses Microsoft Outlook profiles
    dllhost.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookdllhost.exe
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlookdllhost.exe
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookdllhost.exe
  • Suspicious use of SetThreadContext
    COVID-19 TRANSFER RECEIPT FORM_pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3588 set thread context of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
  • Suspicious use of AdjustPrivilegeToken
    dllhost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4968dllhost.exe
  • Suspicious use of FindShellTrayWindow
    COVID-19 TRANSFER RECEIPT FORM_pdf.exe

    Reported IOCs

    pidprocess
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
  • Suspicious use of SendNotifyMessage
    COVID-19 TRANSFER RECEIPT FORM_pdf.exe

    Reported IOCs

    pidprocess
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
    3588COVID-19 TRANSFER RECEIPT FORM_pdf.exe
  • Suspicious use of WriteProcessMemory
    COVID-19 TRANSFER RECEIPT FORM_pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3588 wrote to memory of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
    PID 3588 wrote to memory of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
    PID 3588 wrote to memory of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
    PID 3588 wrote to memory of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
    PID 3588 wrote to memory of 49683588COVID-19 TRANSFER RECEIPT FORM_pdf.exedllhost.exe
  • outlook_office_path
    dllhost.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlookdllhost.exe
  • outlook_win_path
    dllhost.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlookdllhost.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\COVID-19 TRANSFER RECEIPT FORM_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\COVID-19 TRANSFER RECEIPT FORM_pdf.exe"
    Suspicious use of SetThreadContext
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\SysWOW64\dllhost.exe"
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:4968
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/3588-138-0x0000000000F20000-0x0000000000F55000-memory.dmp

                        • memory/3588-139-0x0000000003300000-0x0000000003335000-memory.dmp

                        • memory/4968-130-0x0000000000000000-mapping.dmp

                        • memory/4968-131-0x0000000000400000-0x00000000004A2000-memory.dmp

                        • memory/4968-137-0x0000000000400000-0x00000000004A2000-memory.dmp

                        • memory/4968-140-0x0000000000400000-0x00000000004A2000-memory.dmp