Overview

overview

10

Static

static

1

b2e09b439d...10.exe

windows7-x64

3

b2e09b439d...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2023, 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210.exe

  • Size

    2.2MB

  • MD5

    3394aa9dfb48e470547e7f8628375edc

  • SHA1

    61a0e1e57a660aebdb36db1a27af1455370d6510

  • SHA256

    b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210

  • SHA512

    6faf184af17608b71fd5bc5a4a0d50b3649d53647acea4aee52a18696fdc77aa8c85bed55281e27dbb395eefcf2db7a92b5be5b7389f69d9d517c11338a62fcc

  • SSDEEP

    49152:ZqCY2nf4AUBeTNQqw/H2a2fidVEtMoo9SSwMKJrEmzuZWj7T:Exqf1pdw/bD8OkXcE

Score
10/10
lokibotpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://sempersim.su/a21/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210.exe
    "C:\Users\Admin\AppData\Local\Temp\b2e09b439d7b6af1c30f4d626d29ad458476bb12739164f2650752445ce0e210.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
        PID:4888
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
          3⤵
          • Creates scheduled task(s)
          PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp425A.tmp.bat""
        2⤵
          PID:3752
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:3448
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            3⤵
              PID:4480
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
                4⤵
                  PID:2864
                • C:\Windows\SysWOW64\calc.exe
                  "C:\Windows\SYSWOW64\calc.exe"
                  4⤵
                    PID:2448
                  • C:\Windows\SysWOW64\ping.exe
                    "C:\Windows\SYSWOW64\ping.exe"
                    4⤵
                    • Runs ping.exe
                    PID:3884

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp425A.tmp.bat
              Filesize

              151B

              MD5

              9d68f73019fb6bc62b1d167d44ecb178

              SHA1

              77f7861ff96d5bf9d4c5540f7aa6112546ba6109

              SHA256

              2eaca6a028bbefb9cbb8dbbed517fc09ed569fc8653e60cdcb1ae47ec0ff2d17

              SHA512

              c67e5edc7fc9147d49859b2f04298198fe078e51bccd25373bc976e5ea95ae34dba2bce613cd534c919b3153fbf5ee9b648d028e9c0fbc6f9c19db6cd813139a

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              1.3MB

              MD5

              11fe83e3c37b76d520f13c46b92f0e6f

              SHA1

              1fe5b0de1cb83737bc4c6addca1df46207a1e93d

              SHA256

              c202587e581136d8af2ffde4d6d363c7a10e394bb2a8f7d4825a6b9d8f18f409

              SHA512

              08a964886113030bb36c74d273991a75f89ca645cf600ccf955a7476f306593bd42efdd344e1de6fbeef84f71aa1aff60742f9f9ac0c49504b643358770845c9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\svchost.exe
              Filesize

              830KB

              MD5

              a1ec4de1cee6c1cb27ec088f8f73f7d6

              SHA1

              7d636c0c2c4b8d601cd328762d0f9d3b3fd72de2

              SHA256

              a5ca01f9287b656874816b63b6d47ca9fdd64590e30c9d668806a1b43d173dcc

              SHA512

              6799d6d4cb06362ecc78f4f2cb74f8cba72c6786b25a17ea950c218b966c8c2c34db5aeff8a31bf69c99e3b8da8a3b939d9c170c1421f3b6dbee6a8bf6e8ed61

              Download Submit

            • memory/2012-3-0x0000000005010000-0x00000000050AC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2012-4-0x00000000053F0000-0x0000000005400000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2012-5-0x0000000000AE0000-0x0000000000B48000-memory.dmp

              Filesize

              416KB

              Download

            • memory/2012-6-0x00000000059B0000-0x0000000005F54000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2012-7-0x0000000004E60000-0x0000000004E7A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2012-8-0x00000000053F0000-0x0000000005400000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2012-2-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2012-14-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2012-1-0x0000000000300000-0x0000000000540000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/2012-0-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2864-26-0x0000000005440000-0x0000000005A68000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2864-19-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2864-22-0x0000000004E00000-0x0000000004E10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2864-21-0x0000000004E00000-0x0000000004E10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2864-20-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2864-30-0x00000000052B0000-0x00000000052D2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3884-23-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/3884-27-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/3884-29-0x0000000000400000-0x00000000004A2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/4480-18-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4480-28-0x0000000074880000-0x0000000075030000-memory.dmp

              Filesize

              7.7MB

              Download