Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
Resource
win7-20220414-en
General
-
Target
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe
-
Size
122KB
-
MD5
d85f82b6c267725dbef70ba110f5b972
-
SHA1
00724c2ed905189cd2b142ee196232b5dbadcdea
-
SHA256
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5
-
SHA512
a9a896237a87bfcfdab0be6d445d730647afa51c48b29826d5dcec27ada75a9325300fd6cd4af673f856cca173285def4aa9f6973e0bca34c3dd4751ee4e9e79
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.gq/BN3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
tihue.exetihue.exepid process 960 tihue.exe 1716 tihue.exe -
Loads dropped DLL 3 IoCs
Processes:
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exetihue.exepid process 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe 960 tihue.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tihue.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tihue.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tihue.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tihue.exedescription pid process target process PID 960 set thread context of 1716 960 tihue.exe tihue.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tihue.exedescription pid process Token: SeDebugPrivilege 1716 tihue.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exetihue.exedescription pid process target process PID 316 wrote to memory of 960 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 316 wrote to memory of 960 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 316 wrote to memory of 960 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 316 wrote to memory of 960 316 6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe PID 960 wrote to memory of 1716 960 tihue.exe tihue.exe -
outlook_office_path 1 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tihue.exe -
outlook_win_path 1 IoCs
Processes:
tihue.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tihue.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe"C:\Users\Admin\AppData\Local\Temp\6cb808501ba2fa8738fe3899dd8114e2402f6b18b363c055601d417ad7693be5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeC:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeC:\Users\Admin\AppData\Local\Temp\tihue.exe C:\Users\Admin\AppData\Local\Temp\rigeo3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\djcnqdtoimFilesize
103KB
MD51a405a10e36bcc78e2e0a3cbe47422b3
SHA171251c63293b332b6df0d8ca3fb1cfe45b7fa59e
SHA256274cceb9121ce6fe83e87bde1f680cfd12886fa2dd38205444ee8f1c53d74fe6
SHA5127de8db3e8edacb13fa0e0bd09f4db22d99407223e923d3f8324045643e77f61d9924644ce1845b0eb18efe7ac6b23f96c8f55d1c566350b49b4e6ec1c70aab09
-
C:\Users\Admin\AppData\Local\Temp\rigeoFilesize
4KB
MD512cee403cb1ab648b7e851c357379404
SHA1de22ef29074112b5545c7ac1fd8c169fbb9bf19b
SHA256a2683d812dea192f89fddcfb8eaf681467d16529dd1a317678e4e8daf02be4a2
SHA512e744dad640be387c8ade44cfabdcee722368095078b2282ae9fe7abaad037430b47fb6a0e32f319851f13612b47bc5f33a47fccd1736d48a09e10825ad0a9010
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
C:\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
\Users\Admin\AppData\Local\Temp\tihue.exeFilesize
4KB
MD5bc8a8c2aacf92b1406883163082080f7
SHA1346ca5d693beb75850f5e849f8948b58630f1aec
SHA2569dc99a771c79dd85b8cf9e57a13cbbaf948016fa7513153f7d12e428a83104c8
SHA512199c7a48f2ce6c46abcc2e75ae4fa368a2cd87b959a6902c9884e676712d5456b0e5cb5b20346f16cfe3cc29087ee3ab58dde14235ae8228f19baee25832d2ff
-
memory/316-54-0x00000000769D1000-0x00000000769D3000-memory.dmpFilesize
8KB
-
memory/960-57-0x0000000000000000-mapping.dmp
-
memory/1716-63-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-64-0x00000000004139DE-mapping.dmp
-
memory/1716-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1716-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB