Overview

overview

10

Static

static

3

Final_Test.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Final_Test.pdf

  • Size

    530KB

  • Sample

    240421-tt68xaeh93

  • MD5

    ce6ba3df1d57ade7830c5315d77c9311

  • SHA1

    251e75ac4468d26f76eaa9fe6458e169d3757dd4

  • SHA256

    ce8bbc09521bc9bd7a358e4fbbe370962e22b91a78c8d895716ef98a1daaaf77

  • SHA512

    b35cd30bd0ed8a4faab706ec0ec0c5c2494764f5a4a8f6cf416341f868a257e54f8d0ecbfd6523f3fc42fc914dd487a5cc14d86f433a8c5ae8775e131f4c50e6

  • SSDEEP

    12288:0/dqneaMkgoWOtT1oslIRJUfLKvxMiFS9/j+esTCmuPcB:0/dqe1PoZt5HMgLo2micB

Score
10/10
lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://meta-mim.in/wp-includes/js/pzy/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

iheuche009.hopto.org:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {84B0DIYX-PC63-6D34-570T-YW54Q1M2RH7A}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    IRobWUAG

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Avast

  • use_mutex

    true

Targets

    • Target

      Final_Test.pdf

    • Size

      530KB

    • MD5

      ce6ba3df1d57ade7830c5315d77c9311

    • SHA1

      251e75ac4468d26f76eaa9fe6458e169d3757dd4

    • SHA256

      ce8bbc09521bc9bd7a358e4fbbe370962e22b91a78c8d895716ef98a1daaaf77

    • SHA512

      b35cd30bd0ed8a4faab706ec0ec0c5c2494764f5a4a8f6cf416341f868a257e54f8d0ecbfd6523f3fc42fc914dd487a5cc14d86f433a8c5ae8775e131f4c50e6

    • SSDEEP

      12288:0/dqneaMkgoWOtT1oslIRJUfLKvxMiFS9/j+esTCmuPcB:0/dqe1PoZt5HMgLo2micB

    Score
    10/10
    lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks