Overview

overview

10

Static

static

3

6d8aaf45e4...0f.exe

windows7-x64

10

6d8aaf45e4...0f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d8aaf45e441a23f537e1b506cecbf29a05878e192cbe92c96cee2d8835a610f

  • Size

    564KB

  • Sample

    240304-fd3nwsba64

  • MD5

    ee6540466a3efa53c8ea1068c8a02fcb

  • SHA1

    9cb1126b5f0c332b038c6b45716653eb6e9b3762

  • SHA256

    6d8aaf45e441a23f537e1b506cecbf29a05878e192cbe92c96cee2d8835a610f

  • SHA512

    5bc2b9edc87b64fe472f9fc56898c130c86ab138bc76649d68786f3954ef50718fa46d4b94c30f3995d4edb529e2703b2e663af5c9253c9eeb75caac6dab0571

  • SSDEEP

    12288:QuTpqJqRy20MbcIsesdyEhtALZKM6uBNr4+esTCmZ:QuT2w8TM1KMp2m

Score
10/10
lokibotnetwirebootkitbotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    IRobWUAG

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Avast

  • use_mutex

    true

Extracted

Family

lokibot

C2

http://meta-mim.in/wp-includes/pzy/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      6d8aaf45e441a23f537e1b506cecbf29a05878e192cbe92c96cee2d8835a610f

    • Size

      564KB

    • MD5

      ee6540466a3efa53c8ea1068c8a02fcb

    • SHA1

      9cb1126b5f0c332b038c6b45716653eb6e9b3762

    • SHA256

      6d8aaf45e441a23f537e1b506cecbf29a05878e192cbe92c96cee2d8835a610f

    • SHA512

      5bc2b9edc87b64fe472f9fc56898c130c86ab138bc76649d68786f3954ef50718fa46d4b94c30f3995d4edb529e2703b2e663af5c9253c9eeb75caac6dab0571

    • SSDEEP

      12288:QuTpqJqRy20MbcIsesdyEhtALZKM6uBNr4+esTCmZ:QuT2w8TM1KMp2m

    Score
    10/10
    lokibotnetwirebootkitbotnetcollectionpersistenceratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks