Overview

overview

10

Static

static

584d3414d0...95.exe

windows7_x64

10

584d3414d0...95.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    584d3414d01e2b9fbf3bdc4d906a6cef988d9f71df3e2593a94f7e2beec62295.exe

  • Size

    176KB

  • MD5

    6ef5c37e992049ae450a3c1800066b5e

  • SHA1

    8cb063809f60e5e4e2f06189200a512a9bf0d4bc

  • SHA256

    584d3414d01e2b9fbf3bdc4d906a6cef988d9f71df3e2593a94f7e2beec62295

  • SHA512

    8b978f7ae7318f63e23ac4028cc4abb7fec63f1098689fb43694038ce7de5dd55aab67238a4fe703b77a24aa9f8a5ecf7be97aa78f417c31c9b50ab5d24da23e

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://arabdocx.buzz/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\584d3414d01e2b9fbf3bdc4d906a6cef988d9f71df3e2593a94f7e2beec62295.exe
    "C:\Users\Admin\AppData\Local\Temp\584d3414d01e2b9fbf3bdc4d906a6cef988d9f71df3e2593a94f7e2beec62295.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\nuirup.exe
      C:\Users\Admin\AppData\Local\Temp\nuirup.exe C:\Users\Admin\AppData\Local\Temp\rsjfvp
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\nuirup.exe
        C:\Users\Admin\AppData\Local\Temp\nuirup.exe C:\Users\Admin\AppData\Local\Temp\rsjfvp
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bkwna7khbukemyk1xr
    Filesize

    103KB

    MD5

    453003fcebb446982e14ef9d9aa8d4c9

    SHA1

    2768d9cb8f15733ad01fc89e274794bc21b5f0be

    SHA256

    8993101eee159041b0a7a892ac2a6ae3ee29ec231a8198a6d9c80687f392f221

    SHA512

    9c039eab9d7307570fa4e8aac34fc00f7983f9ca25284dd4138a85b077bf0b977304e92a494bf645461e923b6142de984589c38ee586ff116915df8ca9e559be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nuirup.exe
    Filesize

    3KB

    MD5

    49ed1ba5d9d5d41bbf6eb4518547d5c3

    SHA1

    08a36f17c02d39e5f55316ba19bca69961caac56

    SHA256

    71d0f09a426a7b4f5fcac48e8ff6e14052c107336b88b66f686317ffd6f9ea6f

    SHA512

    e50ae30c9614509d32f464790570e7616be02006d21acbd319657f1ba876e48077f64c0ab06e2fded076e7dcbff213e62de019e3c5e8cb49759f13321aab2ac1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nuirup.exe
    Filesize

    3KB

    MD5

    49ed1ba5d9d5d41bbf6eb4518547d5c3

    SHA1

    08a36f17c02d39e5f55316ba19bca69961caac56

    SHA256

    71d0f09a426a7b4f5fcac48e8ff6e14052c107336b88b66f686317ffd6f9ea6f

    SHA512

    e50ae30c9614509d32f464790570e7616be02006d21acbd319657f1ba876e48077f64c0ab06e2fded076e7dcbff213e62de019e3c5e8cb49759f13321aab2ac1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nuirup.exe
    Filesize

    3KB

    MD5

    49ed1ba5d9d5d41bbf6eb4518547d5c3

    SHA1

    08a36f17c02d39e5f55316ba19bca69961caac56

    SHA256

    71d0f09a426a7b4f5fcac48e8ff6e14052c107336b88b66f686317ffd6f9ea6f

    SHA512

    e50ae30c9614509d32f464790570e7616be02006d21acbd319657f1ba876e48077f64c0ab06e2fded076e7dcbff213e62de019e3c5e8cb49759f13321aab2ac1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\rsjfvp
    Filesize

    5KB

    MD5

    ff0b041f874f621c3fdda3d8426aab0f

    SHA1

    5152c155b4b55027c5596ad74d39e71b04efa7e7

    SHA256

    a08a3fe7b3a242c96dc1eba7c61ae894df881f5c95cae42c2bcc681ee62c1370

    SHA512

    b8e57edd81a16349142b62e028d9655f7c1fe6c7f25c0b2457d3c4582a92ec7fcad81e64af669e4b1a447cd4eac2c68e976a36359192f261a8da78c7cd51d4bb

    Download Submit
  • memory/2024-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-136-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2024-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2024-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/2080-130-0x0000000000000000-mapping.dmp
    Download