Analysis
-
max time kernel
101s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 15:01
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
408KB
-
MD5
1269016b05d9b44e1dbe22d1708477a7
-
SHA1
b593fdf07a072b26831ea3b540a1339942a4f9cd
-
SHA256
1d444781fd26cd8473209b0bf3c5876e2fc18799eecd2e21e4766fe674c9eb98
-
SHA512
e47501ce5e299150023ed908d64ca5566700a2c8b007923c68bcba825665ac1394fb7d49854c3108f6ce52e4884ad00c520726beba5f594847c85d95364acbd0
Malware Config
Extracted
lokibot
http://www.debs.jithiadaproperties.com/alhaji/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook tmp.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 1504 set thread context of 1916 1504 tmp.exe tmp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
tmp.exepid process 1916 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1916 tmp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
tmp.exedescription pid process target process PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe PID 1504 wrote to memory of 1916 1504 tmp.exe tmp.exe -
outlook_office_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook tmp.exe -
outlook_win_path 1 IoCs
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1916
-