Analysis

  • max time kernel
    190s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 13:13

General

  • Target

    file.exe

  • Size

    183KB

  • MD5

    2ee13ecd998734cd7fc80b882c7c3eab

  • SHA1

    93b675eeaf1da0de08d0ab9390baaf8d32967a3c

  • SHA256

    5ac52f3fe1e191e4f6c6e8f4ab8c5137dae75af22fe37a858e6b09add80b2dea

  • SHA512

    42e9924c1f28bee87d550a81e1628a74da30de05ea3b047627c6cb505ef99b9dc96ff5adb5679677249a4f038db3f8f5bf1ad80ae3bb9b48eedef5b5debb9791

  • SSDEEP

    3072:XfY/TU9fE9PEtufbLiHGXEXWKo+Gov1DANq78+ZzhPKfl/Ih3nU0ewEIcqEFYdUm:PYa6BeHJGoe478+ZzJKd6XU90hEF80No

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe
      "C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe" C:\Users\Admin\AppData\Local\Temp\eelrufaz.iw
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe
        "C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\eelrufaz.iw
    Filesize

    5KB

    MD5

    b3c157df42774b424e05912b228604b9

    SHA1

    8bda0c34b9ad0784fa0e22fa4fa3f221862a631f

    SHA256

    4d25db346ea833135a321f66e952dbdbfef4af39bb85342394ef987d6ac2e9da

    SHA512

    fc5bbedf5775142639943ed1e7080ad4aad8a51282507e99d1f34d34f0f05da6574f0c260898487a52d3a5a64e00fb393d898c0405cf9c09bbe3c2c87a71ef34

  • C:\Users\Admin\AppData\Local\Temp\nmrbgn.w
    Filesize

    124KB

    MD5

    49120b91d1949489808b276b04f25d89

    SHA1

    2bdf0e5af786efc803f43e57e9dd4c0ac156bfb7

    SHA256

    6258bb119bf0ee4ee54bb72ada4218fa6cab22de877e4e338f492e5378b3a222

    SHA512

    2321f5a16af653c7ceba9310bb35f4946d485c85a3b3b48734adddc5b5a87c2840dcd98944fc8cf6fd65e35493cb5624c2bd02126c3704f77099258ea46e8fe6

  • C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe
    Filesize

    79KB

    MD5

    df3bb50ae86d689f172077c15c541b02

    SHA1

    0da84c3fda81ed2036a7fe609a97ea7721234ac9

    SHA256

    67581d80dfd7a5d871391f8d406c57721f0bd4823eda59adacb4c1b8faf8cada

    SHA512

    0199328ddf8e7367cd6b88bb53b3996299ed60df200478d22faf38336a46a79f9cfbd4e63902220be0f79003ee6b19fd4aba397c163dc02c046839c2650576dd

  • C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe
    Filesize

    79KB

    MD5

    df3bb50ae86d689f172077c15c541b02

    SHA1

    0da84c3fda81ed2036a7fe609a97ea7721234ac9

    SHA256

    67581d80dfd7a5d871391f8d406c57721f0bd4823eda59adacb4c1b8faf8cada

    SHA512

    0199328ddf8e7367cd6b88bb53b3996299ed60df200478d22faf38336a46a79f9cfbd4e63902220be0f79003ee6b19fd4aba397c163dc02c046839c2650576dd

  • C:\Users\Admin\AppData\Local\Temp\valpmjsf.exe
    Filesize

    79KB

    MD5

    df3bb50ae86d689f172077c15c541b02

    SHA1

    0da84c3fda81ed2036a7fe609a97ea7721234ac9

    SHA256

    67581d80dfd7a5d871391f8d406c57721f0bd4823eda59adacb4c1b8faf8cada

    SHA512

    0199328ddf8e7367cd6b88bb53b3996299ed60df200478d22faf38336a46a79f9cfbd4e63902220be0f79003ee6b19fd4aba397c163dc02c046839c2650576dd

  • memory/2164-137-0x0000000000000000-mapping.dmp
  • memory/2164-139-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/2164-140-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/2964-132-0x0000000000000000-mapping.dmp