Overview

overview

10

Static

static

1

4f9289ac6c...e8.exe

windows7-x64

10

4f9289ac6c...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f9289ac6c38a0b6d80173c6b645e6d70d415a8291017f89c852b2468175bde8.exe

  • Size

    673KB

  • MD5

    1d2c968c22903392601d409cfe0af1af

  • SHA1

    b4e871ca1b111a12f09db58484e5a90255e6f104

  • SHA256

    4f9289ac6c38a0b6d80173c6b645e6d70d415a8291017f89c852b2468175bde8

  • SHA512

    0926d40b5d53ca5469df6bf03d2b0c3757b746fd3648c9a7838c675ddf58c08620c70a790769f1191b044a76a9d89927f88f0080a2690893345d1e934cb112ae

  • SSDEEP

    12288:Etnsok3PEyNZkVrFhRxRHv8d6QUtSVAFLOuijXMJjTI3Efh:ek/bN2VrFbDHv8dWEV6LToe9fh

Score
10/10
guloaderlokibotcollectiondownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f9289ac6c38a0b6d80173c6b645e6d70d415a8291017f89c852b2468175bde8.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9289ac6c38a0b6d80173c6b645e6d70d415a8291017f89c852b2468175bde8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Mogdad=Get-Content 'C:\Users\Admin\AppData\Local\Temp\ddmandssikringen\sjuskefejlene\Sesamen\Compursion.Arn';$Murmuringly=$Mogdad.SubString(5632,3);.$Murmuringly($Mogdad)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2612
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
            PID:2740
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ddmandssikringen\sjuskefejlene\Sesamen\Brillanterne245.Mer
        Filesize

        316KB

        MD5

        827714110ec478590c398b3620086dd3

        SHA1

        feb319fc1396ec3b4e3bf0d5d081b02ac4942eb6

        SHA256

        c910ed1ec3863862ba459f33a310c597a97373df8ba67b28b5b38f61b24b278f

        SHA512

        6026b2de695175f69da70ac3dd1400e5995d9487b9aab1847d2b4b31ca76c459f041d3c345c12a66f4aa2411e2de147d6f7d3e40ae67e5a1c69b04fddf762fd1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ddmandssikringen\sjuskefejlene\Sesamen\Compursion.Arn
        Filesize

        63KB

        MD5

        3f95b2ab8f58f33a249616d482bca012

        SHA1

        239a37cd51c0e8a573045cc947b555e656d35322

        SHA256

        7a3b4b7d0f870dc2a81fa5bf30c3547d26ffb63051c7a4191b7f7cc6d9226472

        SHA512

        3cd593fba842608842e9167767044d3da4f6a9bb541a79baea31e71e67e815bfc60c89f2b9d1188f2cd360b262ff1f95f7ff5cc2f9cd40b5c10e58ad374f137e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c
        Filesize

        46B

        MD5

        d898504a722bff1524134c6ab6a5eaa5

        SHA1

        e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

        SHA256

        878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

        SHA512

        26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c
        Filesize

        46B

        MD5

        c07225d4e7d01d31042965f048728a0a

        SHA1

        69d70b340fd9f44c89adb9a2278df84faa9906b7

        SHA256

        8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

        SHA512

        23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

        Download Submit

      • memory/2628-19-0x0000000000400000-0x0000000000581000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2628-42-0x0000000000590000-0x0000000005865000-memory.dmp

        Filesize

        82.8MB

        Download

      • memory/2792-14-0x00000000740F0000-0x000000007469B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2792-12-0x00000000740F0000-0x000000007469B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2792-17-0x0000000006660000-0x000000000B935000-memory.dmp

        Filesize

        82.8MB

        Download

      • memory/2792-18-0x00000000740F0000-0x000000007469B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2792-10-0x00000000740F1000-0x00000000740F2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2792-13-0x00000000740F0000-0x000000007469B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2792-11-0x00000000740F0000-0x000000007469B000-memory.dmp

        Filesize

        5.7MB

        Download