Overview

overview

10

Static

static

SecuriteIn...96.exe

windows7_x64

10

SecuriteIn...96.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.28996.exe

  • Size

    196KB

  • MD5

    df608b1e6ca45b46e336d6b2c1459f80

  • SHA1

    487d773c1c290028ef6070f4650ab9f59bea1dc5

  • SHA256

    436f9c683b9e4050424953affd1d48ea9973687a89763b7f83d81cf5eb0ec7d2

  • SHA512

    5a2e81fc0648cae440c9545b8a2190ea4773ede90a50e2ccfe9252ba47aa65d14f7c54cd8d12e4bbcd8be0a0e58ffc211d40cf85188674b9d322922e399fc231

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Fake 404 Response

    suricata: ET MALWARE LokiBot Fake 404 Response

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.28996.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.28996.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3008-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3008-136-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3008-138-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3008-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3008-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4780-130-0x0000000000870000-0x00000000008A8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4780-131-0x0000000005230000-0x00000000057D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4780-132-0x0000000004BB0000-0x0000000004C42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4780-133-0x0000000004D40000-0x0000000004DDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4780-134-0x0000000004C60000-0x0000000004C6A000-memory.dmp

    Filesize

    40KB

    Download