Overview

overview

10

Static

static

5645519db8...fb.exe

windows7-x64

1

5645519db8...fb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb

  • Size

    388KB

  • Sample

    220725-e4gzfaefe8

  • MD5

    ef2c7bf69513cf30d5320579df36d8f3

  • SHA1

    43443365284476e3b3744b37bcf835340c93fcfe

  • SHA256

    5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb

  • SHA512

    97e5bf3d030aef21ed0ab0107fa73ac6057aa48dcd14e30b53452dc95e0a365b5d9a859751412f3a074217c687f479147daa0ed23c056569b3388d9fc31d8bfd

Score
10/10
lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://meta-mim.in/wp-includes/js/pzy/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    IRobWUAG

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Avast

  • use_mutex

    true

Targets

    • Target

      5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb

    • Size

      388KB

    • MD5

      ef2c7bf69513cf30d5320579df36d8f3

    • SHA1

      43443365284476e3b3744b37bcf835340c93fcfe

    • SHA256

      5645519db8b96eb738ef36c10d8eba150a2c19a13592d0e8ea5e57f64e43b4fb

    • SHA512

      97e5bf3d030aef21ed0ab0107fa73ac6057aa48dcd14e30b53452dc95e0a365b5d9a859751412f3a074217c687f479147daa0ed23c056569b3388d9fc31d8bfd

    Score
    10/10
    lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks