Overview

overview

10

Static

static

TT swift advise.exe

windows7_x64

10

TT swift advise.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-07-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT swift advise.exe

  • Size

    490KB

  • MD5

    a9c5b90bea45b7cc178b12622e8e9740

  • SHA1

    8ed7875dcfd593a1f69dd27a14eee37f16d89066

  • SHA256

    a44ca269366aaf1ff566a07612899523e7b865b3af8f18a4f98918ecaba79c65

  • SHA512

    90a89f3b43582691ce231ff86e75f7a05ed5d10c91a5092ba7093a82b9f4f163c668c5b86882f21b3ed76aac725e98e923dcf3d49ea4077edfa901f027cd0f7e

Score
10/10
lokibotcollectionevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gi10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
    "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdNepFKSI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdNepFKSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1537.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
      "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
      2⤵
        PID:1872
      • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
        "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
        2⤵
          PID:2040
        • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
          "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
          2⤵
            PID:1784
          • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
            "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
            2⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1236

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        4
        T1012

        Virtualization/Sandbox Evasion

        2
        T1497

        System Information Discovery

        3
        T1082

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp1537.tmp
          Filesize

          1KB

          MD5

          d8aa6ca9513db2ef55d556331a10c97e

          SHA1

          dc611f361d2e65ec6d201ac5ee66f964aa7194be

          SHA256

          a1faeae4a02feab5477be90ac9b699776b7d03d60bbbb717d3000b2146e94266

          SHA512

          bcbae1cf92af455030293eb55c43ab06c06b5c6fc8c7f97452b7851f3a0ca30d98ba555248134e914af67c11f45d4a2ceb283058e19cfaa60f844e9b3ebe88c0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          2505011aee30dd9d9e45d38610b7e70e

          SHA1

          5c9d01b2c8f2e912ea9d673abaae0040b9425ef2

          SHA256

          713935438aa9e4b8723c976d2969713c3ad5b1ced4548ff7fb193d84e2fec48f

          SHA512

          bfa2e360a023ca915a0e870a504ff90c2f7838b69e0b14058bd15aec33c10a339df7c3f883e9d98afd4e9bb36f71065785e0d67ce7f4a37959eb98c9f9ea8423

          Download Submit
        • memory/972-73-0x000000006EC40000-0x000000006F1EB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/972-83-0x000000006EC40000-0x000000006F1EB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/972-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1216-55-0x0000000075951000-0x0000000075953000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1216-56-0x0000000002000000-0x0000000002068000-memory.dmp
          Filesize

          416KB

          Download
        • memory/1216-57-0x00000000003A0000-0x00000000003C0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1216-58-0x0000000000520000-0x000000000052E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/1216-59-0x0000000005000000-0x0000000005058000-memory.dmp
          Filesize

          352KB

          Download
        • memory/1216-54-0x0000000000050000-0x00000000000D0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/1216-67-0x0000000005070000-0x0000000005090000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1236-76-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-78-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-72-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-69-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-68-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-75-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-86-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-84-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1236-79-0x00000000004139DE-mapping.dmp
          Download
        • memory/1236-81-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1580-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1580-70-0x000000006EC40000-0x000000006F1EB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1580-85-0x000000006EC40000-0x000000006F1EB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1712-63-0x0000000000000000-mapping.dmp
          Download