Overview

overview

10

Static

static

Swift Copy.exe

windows7-x64

10

Swift Copy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift Copy.exe

  • Size

    698KB

  • MD5

    0a99061b72976690d691965f3f769029

  • SHA1

    0f18e36ba4f9c237a581d84b1c432e057bdbf640

  • SHA256

    22ec78245f539dccb24499087dc288cc5f32a12c1871bc4b098896566439706a

  • SHA512

    b9b8c21b492dd21ae2e8be13825e7a6b56d6cb36fff53070f27d0710515cce2693d19234152c0931971fd43af4688aab04363e5fdd24397d16bc8fec8bdcf23c

  • SSDEEP

    6144:EfeWkoOdCpoajJRvwDVkwZdLLQJdWoLiA0Z1GGoxaKbHk4IxlY3/6UP453hrKLhX:9iAtdLUXOTZEEKbERs3iUP45RrucP

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sempersim.su/gk18/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
      "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/444-132-0x0000000000C10000-0x0000000000CC4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/444-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/444-134-0x0000000005680000-0x0000000005712000-memory.dmp

    Filesize

    584KB

    Download

  • memory/444-135-0x0000000005670000-0x000000000567A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/444-136-0x0000000008240000-0x00000000082DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/444-137-0x0000000008450000-0x00000000084B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1644-138-0x0000000000000000-mapping.dmp

    Download

  • memory/1644-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1644-141-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1644-142-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1644-143-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download