Analysis
-
max time kernel
112s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 20:25
Static task
static1
Behavioral task
behavioral1
Sample
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe
Resource
win7-20220414-en
General
-
Target
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe
-
Size
196KB
-
MD5
4aae3c3a3c9f8d2f1660d77a9e46ee3f
-
SHA1
84be1ccdca9180c045f87538f2f622ab9077a308
-
SHA256
e158e498bda3cde4df366f813f2b06c075b77661a2df6c906eab052764337aad
-
SHA512
4a5bf6f90ddc2158b116b82bb0c455f955f607a5a76ea1d3c0e62e00e7791a329427aa125053cfb38bd8a207e0da3fe392e7cc67f7b878286b4102a35b4b7229
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exedescription pid process target process PID 792 set thread context of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exepid process 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe Token: SeDebugPrivilege 1916 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4aae3c3a3c9f8d2f1660d77a9e46ee3f.exedescription pid process target process PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe PID 792 wrote to memory of 1916 792 4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe"C:\Users\Admin\AppData\Local\Temp\4aae3c3a3c9f8d2f1660d77a9e46ee3f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/792-130-0x0000000000480000-0x00000000004B8000-memory.dmpFilesize
224KB
-
memory/792-131-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/792-132-0x0000000005200000-0x0000000005292000-memory.dmpFilesize
584KB
-
memory/792-133-0x0000000005340000-0x00000000053DC000-memory.dmpFilesize
624KB
-
memory/792-134-0x0000000005420000-0x000000000542A000-memory.dmpFilesize
40KB
-
memory/1916-135-0x0000000000000000-mapping.dmp
-
memory/1916-136-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1916-138-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1916-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1916-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB