Overview

overview

10

Static

static

TT swift advise.exe

windows7_x64

10

TT swift advise.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-07-2022 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT swift advise.exe

  • Size

    490KB

  • MD5

    a9c5b90bea45b7cc178b12622e8e9740

  • SHA1

    8ed7875dcfd593a1f69dd27a14eee37f16d89066

  • SHA256

    a44ca269366aaf1ff566a07612899523e7b865b3af8f18a4f98918ecaba79c65

  • SHA512

    90a89f3b43582691ce231ff86e75f7a05ed5d10c91a5092ba7093a82b9f4f163c668c5b86882f21b3ed76aac725e98e923dcf3d49ea4077edfa901f027cd0f7e

Score
10/10
lokibotcollectionevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gi10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
    "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4260
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kdNepFKSI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kdNepFKSI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2288
    • C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe
      "C:\Users\Admin\AppData\Local\Temp\TT swift advise.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    ea104ef2c3037c398b17e7993539c1e3

    SHA1

    d84586d63c8906ef64506d015b14c0ebf26ecaac

    SHA256

    d8894f51718a8985840ed93adecf8d76691f26c55dadd56d252603373695565d

    SHA512

    fcb74f0f31f45777086a8aa8a11573a846bfb6e05bebcf566f7c38d8f51588adf20442ceb20784b9959b479375dc3a64c745fa68c17087ba7477ba5153a85f74

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmp
    Filesize

    1KB

    MD5

    fca406bc574fab2475030556cfff9390

    SHA1

    56223628dd4ea64113b686d8642dcaf117225fa8

    SHA256

    86c80bfe837c363dd636de401bc278b6232e6d2d8df8e92221557298af71807c

    SHA512

    f838be8997c1a67e0a344492f0cda8764596d10260aad6e9c6897ea12fd1e2c3f8ee8db4c3eb04664c67aa28202bbb186b9d118281ac31675e5273ed74bfcdae

    Download Submit
  • memory/392-162-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/392-149-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/392-147-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/392-145-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/392-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-155-0x0000000007570000-0x000000000758A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2216-153-0x0000000074D20000-0x0000000074D6C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2216-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-158-0x00000000077A0000-0x00000000077AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2216-156-0x00000000075E0000-0x00000000075EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2288-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3076-131-0x0000000005F90000-0x0000000006534000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3076-132-0x00000000058B0000-0x0000000005942000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3076-136-0x000000000A1D0000-0x000000000A236000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3076-134-0x00000000096B0000-0x000000000974C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3076-130-0x0000000000EA0000-0x0000000000F20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/3076-133-0x0000000005970000-0x000000000597A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4260-151-0x0000000074D20000-0x0000000074D6C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4260-138-0x0000000004C80000-0x00000000052A8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4260-152-0x0000000006030000-0x000000000604E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4260-150-0x0000000006A30000-0x0000000006A62000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4260-154-0x00000000073D0000-0x0000000007A4A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4260-148-0x0000000005A90000-0x0000000005AAE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4260-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4260-157-0x0000000007010000-0x00000000070A6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4260-137-0x0000000002190000-0x00000000021C6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4260-159-0x00000000070D0000-0x00000000070EA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4260-160-0x00000000070B0000-0x00000000070B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4260-141-0x00000000052B0000-0x0000000005316000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4260-139-0x0000000004BE0000-0x0000000004C02000-memory.dmp
    Filesize

    136KB

    Download