Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2023 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9.exe

  • Size

    339KB

  • MD5

    21f218355048519cbfe30b197a9ed5bb

  • SHA1

    ccb176d3bbea60567dc52439ffc0c127fa6eacc4

  • SHA256

    de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9

  • SHA512

    33e88f9b1f374c0c0ac4230876c661a2b4cf05de5b2d1dea46e5f55e4a6644532a95442b74d1e854e9036f9acd2f3c8c1825defcd450cf72fa468529e1feafdf

  • SSDEEP

    3072:4fY/TU9fE9PEtuABKs4fOzqEbeSgikfcIwVN2lQ7+TZe1tnlDcnvGyNWLHgdzMlx:uYa6KMwqGrgihpQstanvGyNWLHiQQBDU

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9.exe
    "C:\Users\Admin\AppData\Local\Temp\de05f9c2ad13c543d4425f070e4608b37aac0b6d25c3816a8fd683cd8795a4b9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
      "C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe" C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
        "C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
    Filesize

    53KB

    MD5

    ec4ee3046babbdde2b727200fe57e249

    SHA1

    4b2e0a80947bf22fae5d36e42672e2001f0925f6

    SHA256

    525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

    SHA512

    9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
    Filesize

    53KB

    MD5

    ec4ee3046babbdde2b727200fe57e249

    SHA1

    4b2e0a80947bf22fae5d36e42672e2001f0925f6

    SHA256

    525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

    SHA512

    9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\dvgxyu.exe
    Filesize

    53KB

    MD5

    ec4ee3046babbdde2b727200fe57e249

    SHA1

    4b2e0a80947bf22fae5d36e42672e2001f0925f6

    SHA256

    525ac1b4fb934952919058b94afd5760c5e1fc489410d33d969d78962a06f753

    SHA512

    9186a8f6e7b775057331fede1a9efe803869a97a904276df5c46fda9c2946dda6d80f27cec6e9499ef50ec225efff066dd8b0bda69c2a3e46cf74c215136a64b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\htumj.tgq
    Filesize

    124KB

    MD5

    efc554754a187541e8796eb668035bb3

    SHA1

    97f32f178cb14870ca365a0087e695058ace851d

    SHA256

    9ad33fcd12dc3d5ea791eea89a43690923204d3f264cf90821427b60cc5a526e

    SHA512

    47efd06e5c00786513ad92fc05e97cd41bcb68bc42b2c6ee72dd0fc600da22d3edef00a95784b1d0952893e841578a775375dba569e1c30c9288769986268e9c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\qqzfykljr.euv
    Filesize

    5KB

    MD5

    ecb37cd6ee8b9db9885ba717d4adb214

    SHA1

    c851738f41f381fb68ff02d4407c66a40674ac55

    SHA256

    5fc04ff9019f6cba12e94c9961b6c94487ad0173ad097c66b868f6cbdc5696ac

    SHA512

    11d1832f232790ceb0faea2f373654e3a91c2d028431692908d6de4c50bfe0664ae9ee4cc55ee5b106f68eb94c9f3547ae15b1a2e1e38fdded1a4c6a3fd7ab8d

    Download Submit
  • memory/1612-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3264-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3264-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/3264-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download