Analysis
-
max time kernel
56s -
max time network
60s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
05/04/2023, 18:20
Static task
static1
General
-
Target
Lokibot.exe
-
Size
300KB
-
MD5
f52fbb02ac0666cae74fc389b1844e98
-
SHA1
f7721d590770e2076e64f148a4ba1241404996b8
-
SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
-
SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
SSDEEP
3072:bGSHTJKB/DA8SBV7Nr6JD6u8w/CpLmrCpLmlrudATPTVWZV5wx3nu9B6jFdnp:bGSzYBchvEJD6LpZj+PTa7wx36AjX
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/1804-121-0x0000000001770000-0x0000000001784000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Lokibot.exe Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1804 set thread context of 4768 1804 Lokibot.exe 66 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1804 Lokibot.exe 1804 Lokibot.exe 1804 Lokibot.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4768 Lokibot.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1804 Lokibot.exe Token: SeDebugPrivilege 4768 Lokibot.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 PID 1804 wrote to memory of 4768 1804 Lokibot.exe 66 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Lokibot.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Lokibot.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"C:\Users\Admin\AppData\Local\Temp\Lokibot.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4768
-