Analysis

  • max time kernel
    190s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 02:12

General

  • Target

    5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe

  • Size

    212KB

  • MD5

    8dde6ae8991612c769a66608dd50fe8f

  • SHA1

    acff562f6e60abf3cfb0dccc2097bc0576bade70

  • SHA256

    5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53

  • SHA512

    4ce90dd6899fc311523bbf0c00676a2456a6b888287bb33278aac567348718d808ae52392b7a12506de2dca24e9cc94ab73c02e514c1282e8e2f974c10f93387

Malware Config

Extracted

Family

lokibot

C2

http://ipvhost.duckdns.org:6060/host/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
    "C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe
      "C:\Users\Admin\AppData\Local\Temp\5acf23f0835e6330dff92f9e57225d3540aa333cde58e3044b926dcc6929cd53.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\System.dll
    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

  • C:\Users\Admin\AppData\Local\Temp\psychobiologist.dll
    Filesize

    56KB

    MD5

    b84990430b17727c2a3fd7cd0485f80d

    SHA1

    45c66d25485ff40522e16ab031770520ad9de903

    SHA256

    30e7a9b1043e4d01503b0d5998b4703f66532ddacb2dcfdad1932fb3e3fc083e

    SHA512

    922eaf2633402ddec2a1fcfeda84a843ffebfc481feb28b79c637b3b978b04c15084877a32c5a55b2dd79a74a7fdb9e3149abfe18bdf0ea6b899c4964fbcd6c3

  • C:\Users\Admin\AppData\Local\Temp\psychobiologist.dll
    Filesize

    56KB

    MD5

    b84990430b17727c2a3fd7cd0485f80d

    SHA1

    45c66d25485ff40522e16ab031770520ad9de903

    SHA256

    30e7a9b1043e4d01503b0d5998b4703f66532ddacb2dcfdad1932fb3e3fc083e

    SHA512

    922eaf2633402ddec2a1fcfeda84a843ffebfc481feb28b79c637b3b978b04c15084877a32c5a55b2dd79a74a7fdb9e3149abfe18bdf0ea6b899c4964fbcd6c3

  • memory/1368-133-0x0000000003000000-0x000000000300F000-memory.dmp
    Filesize

    60KB

  • memory/4428-134-0x0000000000000000-mapping.dmp
  • memory/4428-135-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/4428-137-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/4428-138-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/4428-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB