Overview

overview

10

Static

static

06c2c1fc83...73.exe

windows7_x64

10

06c2c1fc83...73.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073

  • Size

    1.7MB

  • Sample

    220531-fa6alsadfn

  • MD5

    2a3c99efdf911432be4a154eba65d280

  • SHA1

    283f7b1db8ca593fcd3a34795e6ab3adcb7d01c5

  • SHA256

    06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073

  • SHA512

    2688a925c2e70116683e6b19c8865d858c74e93f9b47f95f11d5587fab62592eb693831e8bc1b969fc3423cd3f379c4c0daa64b7f819a28247c60bbf3c15abc1

Score
10/10
lokibotnetwirebotnetcollectionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://jalango.co.ke/js/loki/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {4QIS0Y00-K788-3BRR-G510-L26XY452725R}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Bushbush

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    RjCRIvgp

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Avast

  • use_mutex

    true

Targets

    • Target

      06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073

    • Size

      1.7MB

    • MD5

      2a3c99efdf911432be4a154eba65d280

    • SHA1

      283f7b1db8ca593fcd3a34795e6ab3adcb7d01c5

    • SHA256

      06c2c1fc8390057ac84187992ac08c05a66ca2e1d75ca2b9a6c386c8ce7b5073

    • SHA512

      2688a925c2e70116683e6b19c8865d858c74e93f9b47f95f11d5587fab62592eb693831e8bc1b969fc3423cd3f379c4c0daa64b7f819a28247c60bbf3c15abc1

    Score
    10/10
    lokibotnetwirebotnetcollectionpersistenceratspywarestealersuricatatrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

      suricata

    • suricata: ET MALWARE LokiBot Checkin

      suricata: ET MALWARE LokiBot Checkin

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

      suricata

    • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

      suricata

    • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

      suricata

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks