Overview

overview

10

Static

static

3

Payment slip.exe

windows7-x64

10

Payment slip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment slip.exe

  • Size

    743KB

  • MD5

    ac82a4aa50ad21a166029cedbcde551f

  • SHA1

    26eed14a90fd7f8992660d375f3b77342183b13a

  • SHA256

    a013b7c79bff3e1ca817b809deb34f94ad2bd883ceb1f08427adaefaa95f1018

  • SHA512

    887790abbeca7376e17e4ceb35a6ee4819398c788ab7fce2e7be2868793b379b8f97926f003e584e9240dc73485aa7b7519c2a6d4707bd27c0fb1aa9def01145

  • SSDEEP

    12288:hDfjMCvBwgSlhsAg1DI+VNJXZ+KJsVDoCOzJ9BZ83hMbcl+SDvXQKEmz:hDfggSlK71DIuZ+Cs2FwujSDvqm

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.136.239/index.php/9460648709801952970

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IHiaBe.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IHiaBe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA40C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2432
    • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
        PID:2876
      • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:2120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA40C.tmp
      Filesize

      1KB

      MD5

      571c2676ab06c937fa5a2225bba643e8

      SHA1

      6157a5319fcbdd3045dee8c30d5ce828308e05eb

      SHA256

      f7ca79a652655cd472bd32b4974999a5cbf5024cc1ec0856fd81502f0cb4b915

      SHA512

      ac5e0c3d145bc4b986a70ff83e9451b9fce4fa6c0cf9072138b21cb89c52aedcac5c1366b1e5436dd57119245ff494c29e4fc9db6175ab60b89fc668554225c6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      226aea3e30811e5b74065b9533e808f9

      SHA1

      5ce0cff627b8d12d23f8c68d22d91ae93ddf06d6

      SHA256

      856e3e1a03b53b9b67b55188632cd3dfed2595607c399509797a93b5809eb0f8

      SHA512

      0a63a7896b0ec2e04004cf138c647beaadadf9e3323673c1d79df96cc7ee579b5bc4ee3e4eb5461c25ad691f5c012d8e9096c3dce803f2ae31cdc145d2d78ea7

      Download Submit

    • memory/2120-32-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-26-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-22-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-24-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2120-31-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-28-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2120-20-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2288-1-0x0000000000010000-0x00000000000D0000-memory.dmp

      Filesize

      768KB

      Download

    • memory/2288-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2288-0-0x000000007443E000-0x000000007443F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2288-7-0x0000000074430000-0x0000000074B1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2288-6-0x000000007443E000-0x000000007443F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2288-3-0x0000000000760000-0x000000000077A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2288-5-0x0000000002170000-0x00000000021D2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2288-4-0x0000000000610000-0x0000000000620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-33-0x0000000074430000-0x0000000074B1E000-memory.dmp

      Filesize

      6.9MB

      Download