Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 09:12
Static task
static1
Behavioral task
behavioral1
Sample
fgtToX654yF6Jrh.exe
Resource
win7-20220414-en
General
-
Target
fgtToX654yF6Jrh.exe
-
Size
582KB
-
MD5
b4625731758be5cc056580eef61a2111
-
SHA1
2295300701dd2c65b41663de365e2084d097cd9a
-
SHA256
3733bc38369c103205ce9cceacb873e50a63623aa29c3f27146fb571d251e98f
-
SHA512
fd7efab8a17b748abf8b58b54dac94637f4a3729dafd19b749dac28e9f474f960b8926c471166102122cb6902ef7ee98585696d790a10e1ed37810493d1d528b
Malware Config
Extracted
lokibot
http://45.133.1.45/health5/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://�����������З������Й���Й��я��
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fgtToX654yF6Jrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fgtToX654yF6Jrh.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook fgtToX654yF6Jrh.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fgtToX654yF6Jrh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fgtToX654yF6Jrh.exedescription pid process target process PID 732 set thread context of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
fgtToX654yF6Jrh.exepid process 2028 fgtToX654yF6Jrh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fgtToX654yF6Jrh.exedescription pid process Token: SeDebugPrivilege 2028 fgtToX654yF6Jrh.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
fgtToX654yF6Jrh.exedescription pid process target process PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe PID 732 wrote to memory of 2028 732 fgtToX654yF6Jrh.exe fgtToX654yF6Jrh.exe -
outlook_office_path 1 IoCs
Processes:
fgtToX654yF6Jrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook fgtToX654yF6Jrh.exe -
outlook_win_path 1 IoCs
Processes:
fgtToX654yF6Jrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook fgtToX654yF6Jrh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fgtToX654yF6Jrh.exe"C:\Users\Admin\AppData\Local\Temp\fgtToX654yF6Jrh.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\fgtToX654yF6Jrh.exe"C:\Users\Admin\AppData\Local\Temp\fgtToX654yF6Jrh.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2028