Overview

overview

10

Static

static

10

da156c4105...6b.exe

windows7-x64

10

da156c4105...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da156c4105798510204940dc011a23a5ea995f4aafa998645461ce321c99a36b.exe

  • Size

    104KB

  • MD5

    a42422d176180aa97887e5f371962d77

  • SHA1

    de545b8e8cd4d4c2d82666d6e8275f75cb3288d4

  • SHA256

    da156c4105798510204940dc011a23a5ea995f4aafa998645461ce321c99a36b

  • SHA512

    1ff96539ec7cce916e2a8015b8e2f7de5d978b34e531e636444c69bb845133e9c755f15db0bb2b3bb80610473982e09dfc3872c7da06f305903452f1ebdaf520

  • SSDEEP

    1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://ransomproducts.top/kin/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables containing common artifacts observed in infostealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da156c4105798510204940dc011a23a5ea995f4aafa998645461ce321c99a36b.exe
    "C:\Users\Admin\AppData\Local\Temp\da156c4105798510204940dc011a23a5ea995f4aafa998645461ce321c99a36b.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1337824034-2731376981-3755436523-1000\0f5007522459c86e95ffcc62f32308f1_6833eb7b-8d4b-4cdd-9502-9bbf7fc1cf9f
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit
  • memory/3728-18-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/3728-22-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download