Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 09:58 UTC

General

  • Target

    PI-EP 05919.exe

  • Size

    559KB

  • MD5

    103264e1af3afccc182abbb66ff64bb5

  • SHA1

    96765da528bc4bc406894dc020adafd080e04af0

  • SHA256

    95934ccfa95253459a4caa462ebcb4435c27ef7ce1d3a7aa4c8d6ddea9806938

  • SHA512

    87541ea2c33d08f75a33e1cc9c667b8eb64a5b4ada65b7490f53f60dba08e5606281093bf58d283bd48bdd55ae0cbecd40bb16dff9f3ad2ba6a5188213b8c68c

  • SSDEEP

    12288:tPYPfY7fpf88MbfL5wiE4UYLXb57GdWacRmg8D4jd:tPYPglfabz5wiMkGEpx

Malware Config

Extracted

Family

lokibot

C2

http://185.246.220.85/ugopounds/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI-EP 05919.exe
    "C:\Users\Admin\AppData\Local\Temp\PI-EP 05919.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\PI-EP 05919.exe
      "C:\Users\Admin\AppData\Local\Temp\PI-EP 05919.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2548

Network

  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    http://185.246.220.85/ugopounds/five/fre.php
    PI-EP 05919.exe
    Remote address:
    185.246.220.85:80
    Request
    POST /ugopounds/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 185.246.220.85
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B11EE276
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.0 404 Not Found
    Date: Wed, 19 Jul 2023 09:59:27 GMT
    Server: Apache
    Status: 404 Not Found
    Content-Length: 15
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    http://185.246.220.85/ugopounds/five/fre.php
    PI-EP 05919.exe
    Remote address:
    185.246.220.85:80
    Request
    POST /ugopounds/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 185.246.220.85
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B11EE276
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.0 404 Not Found
    Date: Wed, 19 Jul 2023 09:59:27 GMT
    Server: Apache
    Status: 404 Not Found
    Content-Length: 15
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    85.220.246.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.220.246.185.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    http://185.246.220.85/ugopounds/five/fre.php
    PI-EP 05919.exe
    Remote address:
    185.246.220.85:80
    Request
    POST /ugopounds/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 185.246.220.85
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B11EE276
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 404 Not Found
    Date: Wed, 19 Jul 2023 09:59:27 GMT
    Server: Apache
    Status: 404 Not Found
    Content-Length: 23
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    63.13.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    63.13.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    http://185.246.220.85/ugopounds/five/fre.php
    PI-EP 05919.exe
    Remote address:
    185.246.220.85:80
    Request
    POST /ugopounds/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: 185.246.220.85
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B11EE276
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.0 404 Not Found
    Date: Wed, 19 Jul 2023 10:00:28 GMT
    Server: Apache
    Status: 404 Not Found
    Content-Length: 23
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    202.74.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.74.101.95.in-addr.arpa
    IN PTR
    Response
    202.74.101.95.in-addr.arpa
    IN PTR
    a95-101-74-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    169.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    169.117.168.52.in-addr.arpa
    IN PTR
    Response
  • 185.246.220.85:80
    http://185.246.220.85/ugopounds/five/fre.php
    http
    PI-EP 05919.exe
    877 B
    448 B
    6
    6

    HTTP Request

    POST http://185.246.220.85/ugopounds/five/fre.php

    HTTP Response

    404
  • 185.246.220.85:80
    http://185.246.220.85/ugopounds/five/fre.php
    http
    PI-EP 05919.exe
    699 B
    448 B
    6
    6

    HTTP Request

    POST http://185.246.220.85/ugopounds/five/fre.php

    HTTP Response

    404
  • 185.246.220.85:80
    http://185.246.220.85/ugopounds/five/fre.php
    http
    PI-EP 05919.exe
    672 B
    456 B
    6
    6

    HTTP Request

    POST http://185.246.220.85/ugopounds/five/fre.php

    HTTP Response

    404
  • 185.246.220.85:80
    http://185.246.220.85/ugopounds/five/fre.php
    http
    PI-EP 05919.exe
    672 B
    456 B
    6
    6

    HTTP Request

    POST http://185.246.220.85/ugopounds/five/fre.php

    HTTP Response

    404
  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    85.220.246.185.in-addr.arpa
    dns
    73 B
    148 B
    1
    1

    DNS Request

    85.220.246.185.in-addr.arpa

  • 8.8.8.8:53
    63.13.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    63.13.109.52.in-addr.arpa

  • 8.8.8.8:53
    202.74.101.95.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    202.74.101.95.in-addr.arpa

  • 8.8.8.8:53
    169.117.168.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    169.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3195054982-4292022746-1467505928-1000\0f5007522459c86e95ffcc62f32308f1_320257d5-a40a-4005-a66a-f8da3659bec3

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3195054982-4292022746-1467505928-1000\0f5007522459c86e95ffcc62f32308f1_320257d5-a40a-4005-a66a-f8da3659bec3

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • memory/1664-141-0x000000000A8B0000-0x000000000A94C000-memory.dmp

    Filesize

    624KB

  • memory/1664-135-0x0000000005B30000-0x00000000060D4000-memory.dmp

    Filesize

    5.6MB

  • memory/1664-137-0x00000000058B0000-0x00000000058C0000-memory.dmp

    Filesize

    64KB

  • memory/1664-138-0x00000000057E0000-0x00000000057EA000-memory.dmp

    Filesize

    40KB

  • memory/1664-139-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

  • memory/1664-140-0x00000000058B0000-0x00000000058C0000-memory.dmp

    Filesize

    64KB

  • memory/1664-133-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

  • memory/1664-136-0x0000000005620000-0x00000000056B2000-memory.dmp

    Filesize

    584KB

  • memory/1664-134-0x0000000000BE0000-0x0000000000C72000-memory.dmp

    Filesize

    584KB

  • memory/1664-145-0x0000000074660000-0x0000000074E10000-memory.dmp

    Filesize

    7.7MB

  • memory/2548-142-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2548-147-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2548-146-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2548-166-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2548-174-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.