Overview

overview

10

Static

static

SecuriteIn...65.exe

windows7_x64

3

SecuriteIn...65.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Strictor.273673.27165.exe

  • Size

    1.0MB

  • MD5

    83fc6e09fa1e7f949345467c3c28fb0f

  • SHA1

    78e5bdb5de645f7425462e017a665eca1154b06f

  • SHA256

    acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992

  • SHA512

    70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=39139994574808650

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4844.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2260
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
      2⤵
        PID:2636
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2276

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4844.tmp
      Filesize

      1KB

      MD5

      ec1509fd1f45b9c457ae48700a2228e4

      SHA1

      fbc4869c3c0cf756650e9338118ac86fdf6766b9

      SHA256

      cf7faa49553f8e84a10e930cb6ed043b41e6e8e67b9892749aa7910dd239d3bd

      SHA512

      9d6f8589ada6336374b2f92161d692b5dbda151386a237ca66bec266011bff7160074003056789d546870c77df3df638f8c93219bb03788b824b129f87768f43

      Download Submit
    • memory/1580-133-0x0000000004B00000-0x0000000004B0A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1580-132-0x0000000004B90000-0x0000000004C22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1580-130-0x0000000000080000-0x0000000000188000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1580-134-0x00000000088A0000-0x000000000893C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1580-135-0x0000000008BF0000-0x0000000008C56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1580-131-0x0000000005210000-0x00000000057B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2260-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2276-160-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2276-148-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2276-146-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2276-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2276-144-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/2636-141-0x0000000000000000-mapping.dmp
      Download
    • memory/3156-143-0x0000000004C60000-0x0000000004C82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3156-152-0x00000000062C0000-0x00000000062DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3156-140-0x00000000050F0000-0x0000000005718000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3156-138-0x0000000002420000-0x0000000002456000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3156-149-0x0000000005D20000-0x0000000005D3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3156-150-0x00000000062F0000-0x0000000006322000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3156-151-0x0000000070DE0000-0x0000000070E2C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3156-147-0x0000000005000000-0x0000000005066000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3156-153-0x0000000007670000-0x0000000007CEA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3156-154-0x0000000007030000-0x000000000704A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3156-155-0x00000000070A0000-0x00000000070AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3156-156-0x00000000072B0000-0x0000000007346000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3156-157-0x0000000007260000-0x000000000726E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3156-158-0x0000000007370000-0x000000000738A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3156-159-0x0000000007350000-0x0000000007358000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3156-136-0x0000000000000000-mapping.dmp
      Download