Analysis
-
max time kernel
108s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
25-07-2022 05:19
General
-
Target
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe
-
Size
104KB
-
MD5
bd56a6d3da8c2bd62f9e306ca7833d01
-
SHA1
49894bfc9c76c76e2b361f6ce988af2ffc059fad
-
SHA256
562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b
-
SHA512
de97e3dba8d32465ec7b90cd58d15288336a29acae44730e3438d6cdd170c9b5d6b6fac85732b570b11564f64418e533a54427a90313a8b6275c6745c39a99ba
Malware Config
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe"C:\Users\Admin\AppData\Local\Temp\562834e52d5c081bacfb6f93f106d36085e3e4504e638e6705c53b159b22157b.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path