Overview

overview

10

Static

static

1c99a91428...0b.exe

windows7-x64

10

1c99a91428...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2023 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c99a914285fd2e4bbf9c25627a9155db90d7859a1e17e127eb29ba0adc4ae0b.exe

  • Size

    379KB

  • MD5

    dba09c71b53f5ec9eb4d0e059cc29eaf

  • SHA1

    7515c48f24456ab7f9ee1d10fc70fe9cbe1eabe2

  • SHA256

    1c99a914285fd2e4bbf9c25627a9155db90d7859a1e17e127eb29ba0adc4ae0b

  • SHA512

    6a7eb3f81e551ada99d731c78f3ac668ca9ed12b94201539d4045a4fa3ae2882f2e02d6f29153869f80b31f7befcb71a16243206736d247975c51907c7cda3f8

  • SSDEEP

    6144:3Ya6aLpG6rcP9Dbs/ObH2qcKfmRasX27vTv3O0ajq7p5LgOq6xqUlRg:3YMLpXro9vmRRX2LTv3Op2piWxqUg

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://171.22.30.147/kelly/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c99a914285fd2e4bbf9c25627a9155db90d7859a1e17e127eb29ba0adc4ae0b.exe
    "C:\Users\Admin\AppData\Local\Temp\1c99a914285fd2e4bbf9c25627a9155db90d7859a1e17e127eb29ba0adc4ae0b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\gulodu.exe
      "C:\Users\Admin\AppData\Local\Temp\gulodu.exe" C:\Users\Admin\AppData\Local\Temp\zmrsmmh.xe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Users\Admin\AppData\Local\Temp\gulodu.exe
        "C:\Users\Admin\AppData\Local\Temp\gulodu.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cwbnk.ar
    Filesize

    124KB

    MD5

    f886461e2d3ec90a8da64617ed2a0906

    SHA1

    fcf7dde84197bf2133cc1f2af0bc80afbe1aedc3

    SHA256

    b2e56db3542ac8593b6855e5764f5f6d822aafe9c21324dce20a3de367c8a04c

    SHA512

    225f5bad7d9a49ddb807bc9381f78e8511ceca35cbc6910b871a80f2521032ca867d2c97d897f57b83d10147bc75d1831bc6973011ddcac2db0b778c3cdb0027

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gulodu.exe
    Filesize

    61KB

    MD5

    ad9d87839129b5e0605029351f75e668

    SHA1

    09ecf242723e0d4665df48c5a127d145616c3321

    SHA256

    e5284583b9d826adf9888c39b065c5992c8237daecb71f383026cc8eb874790e

    SHA512

    5b8d8f66cdbf154bae621bc82c1db39affacfc8a5ea419fb0730d984d209fdb2d05685eae7ca7d70eab136be3c7ba75e4050c75c2f9022958c74193a53bc73a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gulodu.exe
    Filesize

    61KB

    MD5

    ad9d87839129b5e0605029351f75e668

    SHA1

    09ecf242723e0d4665df48c5a127d145616c3321

    SHA256

    e5284583b9d826adf9888c39b065c5992c8237daecb71f383026cc8eb874790e

    SHA512

    5b8d8f66cdbf154bae621bc82c1db39affacfc8a5ea419fb0730d984d209fdb2d05685eae7ca7d70eab136be3c7ba75e4050c75c2f9022958c74193a53bc73a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gulodu.exe
    Filesize

    61KB

    MD5

    ad9d87839129b5e0605029351f75e668

    SHA1

    09ecf242723e0d4665df48c5a127d145616c3321

    SHA256

    e5284583b9d826adf9888c39b065c5992c8237daecb71f383026cc8eb874790e

    SHA512

    5b8d8f66cdbf154bae621bc82c1db39affacfc8a5ea419fb0730d984d209fdb2d05685eae7ca7d70eab136be3c7ba75e4050c75c2f9022958c74193a53bc73a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zmrsmmh.xe
    Filesize

    5KB

    MD5

    3c9cd55af525057f88faa0aebe4d5c86

    SHA1

    0d6c1c5019a9ccada63dbc5d658174619f22964d

    SHA256

    a1f640bab1406ad72aabccf0f4783a2780fbdb0c32e3ee99d21e1b6953e4706b

    SHA512

    939ef3b0ee085698de324f0c476d238687bbb97e09b1955bf48352995ccfa88bc8c6a42fb6e88e5e8882cc98f6b86b76c3f94368d2b58d9d21fe7f5b4fbc5dfe

    Download Submit

  • memory/4488-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4864-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4864-139-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4864-140-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download