Analysis
-
max time kernel
135s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe
Resource
win7-20220414-en
General
-
Target
73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe
-
Size
136KB
-
MD5
a33b751ae80d3c17365e43514e8e64eb
-
SHA1
4353a2b794b86c90328a51141166e06a6100ab81
-
SHA256
73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f
-
SHA512
14cdc7c3122bc5bf5c7ee651ac61000a05bde189cec2884c8385e4f5cc9f30e4f59c23ded4af05f0635def96d6ff5ee1ad5acb80eb0f3d969800548e13519967
Malware Config
Extracted
lokibot
http://sempersim.su/gg2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE 2 IoCs
Processes:
pbilukxxp.exepbilukxxp.exepid process 3396 pbilukxxp.exe 4628 pbilukxxp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
pbilukxxp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook pbilukxxp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook pbilukxxp.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pbilukxxp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pbilukxxp.exedescription pid process target process PID 3396 set thread context of 4628 3396 pbilukxxp.exe pbilukxxp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pbilukxxp.exedescription pid process Token: SeDebugPrivilege 4628 pbilukxxp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exepbilukxxp.exedescription pid process target process PID 4272 wrote to memory of 3396 4272 73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe pbilukxxp.exe PID 4272 wrote to memory of 3396 4272 73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe pbilukxxp.exe PID 4272 wrote to memory of 3396 4272 73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe PID 3396 wrote to memory of 4628 3396 pbilukxxp.exe pbilukxxp.exe -
outlook_office_path 1 IoCs
Processes:
pbilukxxp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook pbilukxxp.exe -
outlook_win_path 1 IoCs
Processes:
pbilukxxp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pbilukxxp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe"C:\Users\Admin\AppData\Local\Temp\73a564024585bde72b946fd0ffad79666a63e60cff4b7687371f9d982ad13e3f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exeC:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe C:\Users\Admin\AppData\Local\Temp\yuaymhmxy2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exeC:\Users\Admin\AppData\Local\Temp\pbilukxxp.exe C:\Users\Admin\AppData\Local\Temp\yuaymhmxy3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ln5bae9u5vvvm7jFilesize
103KB
MD5bb92d81c9f4f109489a440bb5736dbc9
SHA11e8f3bc0a91b6c08feda10356d8d0ddb772e8d69
SHA256df3f05a647bf65af1590a95f05be3ca05639b9e63405ecdb0a1c92309cf90408
SHA51293efdf2171fd92c4b6aad5b326900adffba0ee0be10249dafb6a12ea0c8629c6ff3e499b91c0c8e4c18647ce068b904eade4e19aab73845a51dc11c4fe5bd7b9
-
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exeFilesize
5KB
MD58577f84304ec69a2a97bea84a294f3ef
SHA1031c4deffe9161bd5a46fc32cd37432c0d7b5fd1
SHA256e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302
SHA51240067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2
-
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exeFilesize
5KB
MD58577f84304ec69a2a97bea84a294f3ef
SHA1031c4deffe9161bd5a46fc32cd37432c0d7b5fd1
SHA256e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302
SHA51240067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2
-
C:\Users\Admin\AppData\Local\Temp\pbilukxxp.exeFilesize
5KB
MD58577f84304ec69a2a97bea84a294f3ef
SHA1031c4deffe9161bd5a46fc32cd37432c0d7b5fd1
SHA256e5781f1b1d2ba037eb464d8a37e087f5a25b7eae6d531fa8e9bd4ed4fb377302
SHA51240067f8480764a4719d21b9b31c2aec4dc964a388538cd326e5e04a51ef60645287ac5e7b3d23f5b72b36f976388cbb353716464aeb62f3b2a0cf21c7651a0c2
-
C:\Users\Admin\AppData\Local\Temp\yuaymhmxyFilesize
5KB
MD5c558b829d612fe1fcaa8b8947d917d1c
SHA1697b1b0d527a72a14c69f9d51cbec4d5dccc2069
SHA2560c065067f1b7f19cd75bc177124472138879fce559444897cdbaf1c5f6adb58b
SHA512fb637bbe98faae0685c32908e70b25268f9d497e2b04a0c3d76ef0e57a86c9663a54e48d1557dc51fe4c46a4e4e34e12826d7c0e15bf5ac9f133a45199304b1f
-
memory/3396-130-0x0000000000000000-mapping.dmp
-
memory/4628-135-0x0000000000000000-mapping.dmp
-
memory/4628-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4628-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4628-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB