Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 01:26
Static task
static1
Behavioral task
behavioral1
Sample
Purchase OrderPDF.ARJ.exe
Resource
win7-20220414-en
General
-
Target
Purchase OrderPDF.ARJ.exe
-
Size
511KB
-
MD5
df80aec9cb4a8a5c0175a3d7ca352107
-
SHA1
4346176f31584b17b4b790908d6984bf43487c1c
-
SHA256
1e6f5352bb12ba7c2f9cba16e628eecd4cfe8e7f14a3b552f9be7b7b54afcd35
-
SHA512
5112d3cdea6143331674d494cf302d4457d79602b1a1447e4eff004d6d75cec0f45a7b416ca61fea82209571d1e5a8f31ac0ba776c6416a8e69589b7158c2423
Malware Config
Extracted
lokibot
http://sempersim.su/gi9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase OrderPDF.ARJ.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Purchase OrderPDF.ARJ.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase OrderPDF.ARJ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription pid process target process PID 3744 set thread context of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Purchase OrderPDF.ARJ.exepid process 4008 Purchase OrderPDF.ARJ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription pid process Token: SeDebugPrivilege 4008 Purchase OrderPDF.ARJ.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription pid process target process PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe PID 3744 wrote to memory of 4008 3744 Purchase OrderPDF.ARJ.exe Purchase OrderPDF.ARJ.exe -
outlook_office_path 1 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Purchase OrderPDF.ARJ.exe -
outlook_win_path 1 IoCs
Processes:
Purchase OrderPDF.ARJ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Purchase OrderPDF.ARJ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.ARJ.exe"C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.ARJ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.ARJ.exe"C:\Users\Admin\AppData\Local\Temp\Purchase OrderPDF.ARJ.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3744-130-0x00000000005C0000-0x0000000000646000-memory.dmpFilesize
536KB
-
memory/3744-131-0x0000000005670000-0x0000000005C14000-memory.dmpFilesize
5.6MB
-
memory/3744-132-0x0000000004FE0000-0x0000000005072000-memory.dmpFilesize
584KB
-
memory/3744-133-0x0000000005090000-0x000000000509A000-memory.dmpFilesize
40KB
-
memory/3744-134-0x0000000007570000-0x000000000760C000-memory.dmpFilesize
624KB
-
memory/3744-135-0x0000000007780000-0x00000000077E6000-memory.dmpFilesize
408KB
-
memory/4008-136-0x0000000000000000-mapping.dmp
-
memory/4008-137-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4008-139-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4008-140-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/4008-141-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB