Overview

overview

10

Static

static

3

c8ef778ff1...95.exe

windows7-x64

10

c8ef778ff1...95.exe

windows10-2004-x64

8

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-07-2024 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe

  • Size

    457KB

  • MD5

    92a71af74ad52bd6968c86a1197df7d5

  • SHA1

    da3afefc08de0fa9b4b6c2742c927d6703fdae0c

  • SHA256

    c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195

  • SHA512

    706482562653c189027a0d53d34ea8fc8ebf85528c96c05b4651f0a08665db94666edd078f799bbc5e2753428e2f9fe3dddd223150e856e23d34fdd0e3fe88fd

  • SSDEEP

    6144:coShfU3osnd2J4v8KJIRySSDbnybCiRG26b5hiVLaf3Uz9YP3WImQK+9OIT8CCvP:Fqgowd2JY8NRPE7yvRAQVLafPP3jfLkP

Score
10/10
guloaderlokibotcollectiondownloaderexecutionspywarestealertrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe
    "C:\Users\Admin\AppData\Local\Temp\c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Lovkrav=Get-Content 'C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Radioaktivest.Sup';$Exorable=$Lovkrav.SubString(70678,3);.$Exorable($Lovkrav)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
          PID:2636
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2656

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Lighedspunkternes.Fla
      Filesize

      299KB

      MD5

      be71ed679ecf4ac926d594cdaa4fbc83

      SHA1

      099a1b287bf6b01183cfa7363e2cf17b9aa199bd

      SHA256

      37376b6063c39eface87e55d02c0f1419893f689c2d4a02396b6ce4e4cafbac6

      SHA512

      6bb428f6ebe605fe30105e5830563641baab13d8ee163fa2be1753fb85e525faf870fdbd72c2a50b3b937df93a80b4072d207312efcdc0110a1d5a7ad86e2c56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Radioaktivest.Sup
      Filesize

      69KB

      MD5

      e2606a0ced1b1b771a63e507bef6548d

      SHA1

      72c055984e5a4f43c4ed6c8020d37938afb6fa4a

      SHA256

      368a7423c1c873ee451b227795beb591e3b5d213ce98809de54957525b46e1fc

      SHA512

      1e4dee9bf06edbf2fefd3dfd28d72fc4ee4d878e0bba2cc125a2487b6085ecc8154a1630ca7e444618fcb20106c9292f8ed39bf0786cdd5241a198fe56b25091

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1385883288-3042840365-2734249351-1000\0f5007522459c86e95ffcc62f32308f1_0b857b27-3438-41f8-a27a-43f96d095be3
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsyBFC7.tmp\Banner.dll
      Filesize

      4KB

      MD5

      843657eaf7240b695624dcf38bb0eb31

      SHA1

      ca99a44e737fdeaab56f864ce1ef15a57d2eec90

      SHA256

      b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e

      SHA512

      7773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsyBFC7.tmp\BgImage.dll
      Filesize

      7KB

      MD5

      a98576f0d6b35b466cb881860977fdbc

      SHA1

      28b3dbbd76f15c876b98dce523100aa3256d193a

      SHA256

      6cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2

      SHA512

      29225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsyBFC7.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      2c84faebfda2abe3b16fdf374df4272f

      SHA1

      a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40

      SHA256

      72b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004

      SHA512

      207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e

      Download Submit

    • memory/2656-57-0x0000000000D10000-0x0000000004B8D000-memory.dmp

      Filesize

      62.5MB

      Download

    • memory/2700-28-0x00000000739C1000-0x00000000739C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2700-32-0x00000000739C0000-0x0000000073F6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2700-36-0x00000000067B0000-0x000000000A62D000-memory.dmp

      Filesize

      62.5MB

      Download

    • memory/2700-37-0x00000000739C0000-0x0000000073F6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2700-31-0x00000000739C0000-0x0000000073F6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2700-30-0x00000000739C0000-0x0000000073F6B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2700-29-0x00000000739C0000-0x0000000073F6B000-memory.dmp

      Filesize

      5.7MB

      Download