Analysis
-
max time kernel
71s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 06:41
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
-
Size
548KB
-
MD5
a03187c0c2cd810f605137b447475202
-
SHA1
c570719523f00fd9f5f868f012c6b859e20549e9
-
SHA256
8db93f119551dbb9e49d9894abb0c83e9043b18db2373ff590f90f768aa98587
-
SHA512
36768cb785ac34be7874b30bc4493f32caa0f8f6b6c7fadab5d798c23792b49026cfb66d6d1bea42dd49da0d7f50559ecd6d1539b23a52a30d82b84537c18c62
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=21242689357140
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.W32.AIDetectNet.01.5786.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook SecuriteInfo.com.W32.AIDetectNet.01.5786.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription pid process target process PID 880 set thread context of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exepid process 860 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription pid process Token: SeDebugPrivilege 860 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription pid process target process PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe PID 880 wrote to memory of 860 880 SecuriteInfo.com.W32.AIDetectNet.01.5786.exe SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SecuriteInfo.com.W32.AIDetectNet.01.5786.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.5786.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SecuriteInfo.com.W32.AIDetectNet.01.5786.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.5786.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-69-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-62-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-75-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-74-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-72-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-66-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/860-70-0x00000000004139DE-mapping.dmp
-
memory/860-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/880-59-0x0000000005B40000-0x0000000005BA2000-memory.dmpFilesize
392KB
-
memory/880-58-0x0000000000960000-0x000000000096E000-memory.dmpFilesize
56KB
-
memory/880-54-0x00000000012D0000-0x000000000135E000-memory.dmpFilesize
568KB
-
memory/880-56-0x0000000000CB0000-0x0000000000D20000-memory.dmpFilesize
448KB
-
memory/880-60-0x0000000000E30000-0x0000000000E50000-memory.dmpFilesize
128KB
-
memory/880-55-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/880-57-0x0000000000740000-0x0000000000760000-memory.dmpFilesize
128KB