Overview

overview

10

Static

static

441adbf25c...a2.exe

windows7_x64

10

441adbf25c...a2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe

  • Size

    620KB

  • MD5

    d5242869385cc6f80a3573f30969d32e

  • SHA1

    804b91d679866e9c9a8f84abdc203aa5ac6069ef

  • SHA256

    441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2

  • SHA512

    4aa4622bf2d4e23a46ffaa47e7e984afacba5a3bcbcfc872c85b9a5d38e962b2bd59870fedf81375ceb1eb87f493e0079ad0925beccaf50d63e7c30ccfda0a74

Score
10/10
formbooklokibotracollectionratspywarestealersuricatatrojan

Malware Config

Extracted

Family

lokibot

C2

http://strutitinca.ro/ftp/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

3.8

Campaign

ra

Decoy

bee-control.com

profilepaytren.com

hirntod.info

foxrivrefiber.com

redesignmind.com

prowikileaks.com

jeni86.win

franzzegarra.com

veruredrfygj.win

youzhongla.com

mynastudios.com

stop-r.net

pet-dress.com

beautiies.com

aminooctane.com

studiostraccio.com

jiazhengkj.com

itufq.info

ssco2203.com

bollywoodmoviedance.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

    suricata
  • suricata: ET MALWARE LokiBot Checkin

    suricata: ET MALWARE LokiBot Checkin

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

    suricata
  • suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

    suricata
  • suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

    suricata
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
    "C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Users\Admin\AppData\Local\Temp\Nass.exe
      "C:\Users\Admin\AppData\Local\Temp\Nass.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe
      "C:\Users\Admin\AppData\Local\Temp\441adbf25c61c2a9cd0d21e2b492985bfbfb7e728edb4dcd53e3a7d8e652e9a2.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Nass.exe
    Filesize

    104KB

    MD5

    c9bf989640132ea2f2d56816fae1e6cf

    SHA1

    143764d64c923873c06908744d037618791cec73

    SHA256

    696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

    SHA512

    409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Nass.exe
    Filesize

    104KB

    MD5

    c9bf989640132ea2f2d56816fae1e6cf

    SHA1

    143764d64c923873c06908744d037618791cec73

    SHA256

    696bb2ba51caa1af61cc8fb9c0fb96e2256549f7427f6b44d8af46f03957e2c5

    SHA512

    409891ff65d28dba4766ea0cd0e624225cbddfa6f0cab35fa51036c77999a4246afe629f0a2bb855ba4850cd10ca9130e05e588730d74a5ebc039218e3a1ee2b

    Download Submit

  • memory/1896-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2068-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2068-138-0x0000000000A30000-0x0000000000D7A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2068-139-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4880-132-0x0000000002260000-0x0000000002266000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4880-137-0x0000000002260000-0x0000000002266000-memory.dmp

    Filesize

    24KB

    Download