Overview

overview

10

Static

static

SecuriteIn...65.exe

windows7_x64

10

SecuriteIn...65.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Strictor.273673.27165.exe

  • Size

    1.0MB

  • MD5

    83fc6e09fa1e7f949345467c3c28fb0f

  • SHA1

    78e5bdb5de645f7425462e017a665eca1154b06f

  • SHA256

    acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992

  • SHA512

    70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f

Score
10/10
lokibotcollectionspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://198.187.30.47/p.php?id=39139994574808650

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5776.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1868
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
      2⤵
        PID:3696
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
        2⤵
          PID:3632
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
          2⤵
            PID:2148
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"
            2⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:1596

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp5776.tmp
          Filesize

          1KB

          MD5

          004179dce42bce92a5881468f445e611

          SHA1

          b7c5f560e114a553726b8a88bff65f239f85572e

          SHA256

          7f756f2fd2b5d4588b4dd340956dc22264be56f7f5a4f29da7374333282455d8

          SHA512

          1e4ee3a1e710e6df7a5a7d2eda2bba9d513ea7cb2a3431861797ea044a9666e94f651e23109b58c14a6b6dabb7dc5c4e08e2bb943701db9aeaeeabcb158e2b63

          Download Submit
        • memory/1596-162-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1596-150-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1596-148-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1596-145-0x0000000000400000-0x00000000004A2000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1596-144-0x0000000000000000-mapping.dmp
          Download
        • memory/1868-137-0x0000000000000000-mapping.dmp
          Download
        • memory/2148-143-0x0000000000000000-mapping.dmp
          Download
        • memory/3632-142-0x0000000000000000-mapping.dmp
          Download
        • memory/3696-140-0x0000000000000000-mapping.dmp
          Download
        • memory/3848-147-0x0000000004F40000-0x0000000004F62000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3848-157-0x0000000007280000-0x000000000728A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3848-138-0x0000000004940000-0x0000000004976000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3848-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3848-161-0x0000000007530000-0x0000000007538000-memory.dmp
          Filesize

          32KB

          Download
        • memory/3848-160-0x0000000007550000-0x000000000756A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3848-159-0x0000000007440000-0x000000000744E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3848-158-0x0000000007490000-0x0000000007526000-memory.dmp
          Filesize

          600KB

          Download
        • memory/3848-149-0x0000000005840000-0x00000000058A6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3848-141-0x00000000050A0000-0x00000000056C8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/3848-151-0x0000000005F00000-0x0000000005F1E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3848-152-0x00000000064D0000-0x0000000006502000-memory.dmp
          Filesize

          200KB

          Download
        • memory/3848-153-0x0000000070EB0000-0x0000000070EFC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3848-154-0x00000000064B0000-0x00000000064CE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3848-155-0x0000000007850000-0x0000000007ECA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/3848-156-0x0000000007210000-0x000000000722A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/5104-132-0x0000000004BD0000-0x0000000004C62000-memory.dmp
          Filesize

          584KB

          Download
        • memory/5104-133-0x0000000004C70000-0x0000000004C7A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/5104-130-0x0000000000140000-0x0000000000248000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/5104-134-0x0000000008960000-0x00000000089FC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/5104-135-0x0000000008CB0000-0x0000000008D16000-memory.dmp
          Filesize

          408KB

          Download
        • memory/5104-131-0x0000000005240000-0x00000000057E4000-memory.dmp
          Filesize

          5.6MB

          Download