Analysis

  • max time kernel
    115s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2023 18:41

General

  • Target

    número de pedido 675432.exe

  • Size

    752KB

  • MD5

    9e1935a47f0fc0de66b4a98556336d46

  • SHA1

    8cacf3fa719e158213189b0ec89f8813c4d21297

  • SHA256

    e973ddbe5be12de3bb6c48532e99abd8a5e9b44b084a388c89690309c7c38da5

  • SHA512

    93d5f772f3ca308cb9c249c70e5a538ec399e3db902d945f6ee4d08ff399947a4a0d35899b1dc9ebc47d37b6693db5a8787386498e8eeb152c172c924c23590a

  • SSDEEP

    12288:f2iNZlSE+AB6Fy2Mxz0hAy9yVrNgFW9zktGU83Sg43pqG4yPa:f1dH+AB6F0x10yFFVktGz3tYpqG4yPa

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/ha8/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\número de pedido 675432.exe
    "C:\Users\Admin\AppData\Local\Temp\número de pedido 675432.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\número de pedido 675432.exe
      "C:\Users\Admin\AppData\Local\Temp\número de pedido 675432.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1044-69-0x00000000004139DE-mapping.dmp
  • memory/1044-60-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-74-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-73-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-63-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-71-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-68-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-61-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-66-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1044-65-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

  • memory/1996-58-0x0000000004E60000-0x0000000004EBA000-memory.dmp
    Filesize

    360KB

  • memory/1996-55-0x0000000075D61000-0x0000000075D63000-memory.dmp
    Filesize

    8KB

  • memory/1996-54-0x0000000000D00000-0x0000000000DC2000-memory.dmp
    Filesize

    776KB

  • memory/1996-59-0x0000000000B30000-0x0000000000B50000-memory.dmp
    Filesize

    128KB

  • memory/1996-57-0x0000000000910000-0x000000000091A000-memory.dmp
    Filesize

    40KB

  • memory/1996-56-0x00000000005C0000-0x00000000005D4000-memory.dmp
    Filesize

    80KB