Overview

overview

10

Static

static

Purchase Inquiry.exe

windows7-x64

10

Purchase Inquiry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Inquiry.exe

  • Size

    629KB

  • MD5

    b47adf27915c7af2a24fc9081dff22f7

  • SHA1

    d0ae952ed86784b05b913d666d2fd1a5fb1c746e

  • SHA256

    208591b78135b397fcf22a58338bea5c086935362fb5e255e40ecb1a78245209

  • SHA512

    92c4f67842bc7bf6923b8d53a10f719e4be5efd52b531256a41bf870fe6036817c29adfb80881a14fe63ead9fb6fd74086885e1c37d3287d7aefc505e241823a

  • SSDEEP

    12288:k17BPDV/nJCDSwf8Ak8ZW3CFx8FGw3gdfxDeu6PFc2T+g:27hDlXwf8CxWGZdfxDeuI+

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://157.245.36.27/~dokterpol/?page=14914169539334

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"
      2⤵
        PID:1964
      • C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3868

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1964-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3284-132-0x0000000000740000-0x00000000007E4000-memory.dmp
      Filesize

      656KB

      Download
    • memory/3284-133-0x0000000005960000-0x0000000005F04000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3284-134-0x00000000051B0000-0x0000000005242000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3284-135-0x0000000002C40000-0x0000000002C4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3284-136-0x00000000010D0000-0x000000000116C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3868-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3868-139-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/3868-141-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/3868-142-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download
    • memory/3868-143-0x0000000000400000-0x00000000004A2000-memory.dmp
      Filesize

      648KB

      Download