Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2023 01:28

General

  • Target

    c108939610bf760ad9a71cd9c45259f2.exe

  • Size

    104KB

  • MD5

    c108939610bf760ad9a71cd9c45259f2

  • SHA1

    591cf5942dfaa94f75932fed1fd043fb95d2b045

  • SHA256

    5d99ab24811624ef3c5f5d8c9b71009ebe33acfbb235cb58400c2a4b6e0c30bf

  • SHA512

    233d58e9a837b5d86ac0f3c4110a41b04c9de97cc6f10150311a725724bb1a913dda74fc043561bd493635bc925b364a9ae794b8fc16fd6d380d16a339849e39

  • SSDEEP

    1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/Eq1Izmd:nSHIG6mQwGmfOQd8YhY0/EQUG

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c108939610bf760ad9a71cd9c45259f2.exe
    "C:\Users\Admin\AppData\Local\Temp\c108939610bf760ad9a71cd9c45259f2.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1780-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB