Analysis
-
max time kernel
114s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 21:23
Static task
static1
Behavioral task
behavioral1
Sample
Informe bancario.pdf.exe
Resource
win7-20220414-en
General
-
Target
Informe bancario.pdf.exe
-
Size
438KB
-
MD5
21950205d5c3a8536711e5a90dd4c5f7
-
SHA1
59fd75874e921d19b9eed54817662b01f697bfac
-
SHA256
be934241304d999e605d938795046cde049e62fc8639557a61a60429ad737af9
-
SHA512
25de0b9cb1cba95d9f2604a72e6ee04a3c4e0ddc6037f5d87ccd631473b371a75f2bc4af31bca77ee56d26d0dba1364ed078f62df4e7d989db67084a94d22a97
Malware Config
Extracted
lokibot
http://kossa.xyz/esi/pp/play.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Informe bancario.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Informe bancario.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Informe bancario.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Informe bancario.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Informe bancario.pdf.exedescription pid process target process PID 4208 set thread context of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Informe bancario.pdf.exepid process 4208 Informe bancario.pdf.exe 4208 Informe bancario.pdf.exe 4208 Informe bancario.pdf.exe 4208 Informe bancario.pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Informe bancario.pdf.exepid process 3604 Informe bancario.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Informe bancario.pdf.exeInforme bancario.pdf.exedescription pid process Token: SeDebugPrivilege 4208 Informe bancario.pdf.exe Token: SeDebugPrivilege 3604 Informe bancario.pdf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Informe bancario.pdf.exedescription pid process target process PID 4208 wrote to memory of 780 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 780 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 780 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3320 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3320 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3320 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe PID 4208 wrote to memory of 3604 4208 Informe bancario.pdf.exe Informe bancario.pdf.exe -
outlook_office_path 1 IoCs
Processes:
Informe bancario.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Informe bancario.pdf.exe -
outlook_win_path 1 IoCs
Processes:
Informe bancario.pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Informe bancario.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Informe bancario.pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-135-0x0000000000000000-mapping.dmp
-
memory/3320-136-0x0000000000000000-mapping.dmp
-
memory/3604-137-0x0000000000000000-mapping.dmp
-
memory/3604-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3604-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3604-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/3604-142-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4208-130-0x00000000008F0000-0x0000000000964000-memory.dmpFilesize
464KB
-
memory/4208-131-0x00000000057E0000-0x0000000005D84000-memory.dmpFilesize
5.6MB
-
memory/4208-132-0x0000000005310000-0x00000000053A2000-memory.dmpFilesize
584KB
-
memory/4208-133-0x00000000054B0000-0x00000000054BA000-memory.dmpFilesize
40KB
-
memory/4208-134-0x00000000078D0000-0x000000000796C000-memory.dmpFilesize
624KB