Overview

overview

10

Static

static

1

8ccb5dc4ee...JC.exe

windows7-x64

10

8ccb5dc4ee...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2023 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe

  • Size

    235KB

  • MD5

    9c47da2eaf8817c64de9cb8f51cb76d1

  • SHA1

    f6401703f4daf98b106ef34d262c8e3f9bf7f4a5

  • SHA256

    8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbf

  • SHA512

    8b36090784316f58da10d5a115076f8a7de12fc39af117dab8abb29dfa60f5d8505d0d60857741a513d4ba2136beca1f5440365c7df6c7db562282400f2e1251

  • SSDEEP

    6144:fqjIAZnS7kEw+IZKoOHk121yf6g8HzAt+u868L:KLnS7ijsxk1QykTe2N

Score
10/10
guloaderlokibotdownloaderspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\8ccb5dc4ee7dbe6c28d9b26670ebd57269e8d982c35f9098ebeb5bdd4abc2fbfexe_JC.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsk9319.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1043950675-1972537973-2972532878-1000\0f5007522459c86e95ffcc62f32308f1_a580142d-a9c5-4a77-9177-669dbb664290
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1043950675-1972537973-2972532878-1000\0f5007522459c86e95ffcc62f32308f1_a580142d-a9c5-4a77-9177-669dbb664290
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • memory/2812-146-0x00000000049F0000-0x000000000660F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/2812-147-0x0000000077B11000-0x0000000077C31000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2812-148-0x00000000049F0000-0x000000000660F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/2812-149-0x0000000074970000-0x0000000074976000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4492-183-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-187-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-163-0x0000000001660000-0x000000000327F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/4492-164-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-165-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-166-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-167-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-169-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-168-0x0000000001660000-0x000000000327F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/4492-170-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-171-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-175-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-176-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-177-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-179-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-180-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-181-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-152-0x0000000001660000-0x000000000327F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/4492-184-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-185-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-186-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-153-0x0000000077B98000-0x0000000077B99000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4492-188-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-189-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-190-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-191-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-192-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-193-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-201-0x0000000077B11000-0x0000000077C31000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4492-203-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-204-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-205-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-206-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-207-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-208-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-209-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-210-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-211-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-213-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4492-151-0x0000000001660000-0x000000000327F000-memory.dmp

    Filesize

    28.1MB

    Download

  • memory/4492-150-0x0000000000400000-0x0000000001654000-memory.dmp

    Filesize

    18.3MB

    Download