Overview

overview

10

Static

static

DHL Expres...pt.exe

windows7-x64

10

DHL Expres...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Express Receipt.exe

  • Size

    1023KB

  • MD5

    61cf71fdffa43e513ee0b7fc22858d3d

  • SHA1

    12fe31f4a16c7d30a3e7de8659a0571e8929b1eb

  • SHA256

    9965fd6b29b9aecaae9ec00b30cd41de793f3ff2d5a5edfcf1c967f3bbcf94bb

  • SHA512

    5ca9b3e71f9ee9757a7ee8fd0ce18e00eec90d90adda598f75f44d91bc0f2c1d31a5b573f53bbb95c45f4e84644686fcd60f594ee6fab359dccd8d64139c3c63

  • SSDEEP

    12288:OfUr/H/dPB7aR3jcN5HpXhmSUKRqQPjqmEA+B6Ihk6QxSVjxrL67cK4HTN:1f/dPAUbkYq088NDIFrLm

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://162.0.223.13/?0ZbRoqHjbXfrX54fnD4rBmzDYlyFq8Yr7ajvA0OLY4dV9iaxVfYwByaATIgkQeLXp4tZ5i

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Express Receipt.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3036-132-0x0000000000C50000-0x0000000000D56000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3036-133-0x0000000005CF0000-0x0000000006294000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3036-134-0x0000000005620000-0x00000000056B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3036-135-0x00000000055F0000-0x00000000055FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3036-136-0x0000000009350000-0x00000000093EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3036-137-0x00000000092B0000-0x0000000009316000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5084-138-0x0000000000000000-mapping.dmp
    Download
  • memory/5084-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/5084-141-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/5084-142-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/5084-143-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/5084-144-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download