Overview

overview

10

Static

static

3

Bank State...df.exe

windows7-x64

10

Bank State...df.exe

windows10-2004-x64

10

$APPDATA/v...60.dll

windows7-x64

1

$APPDATA/v...60.dll

windows10-2004-x64

1

$APPDATA/v...60.dll

windows7-x64

1

$APPDATA/v...60.dll

windows10-2004-x64

1

$APPDATA/v...pc.exe

windows7-x64

3

$APPDATA/v...pc.exe

windows10-2004-x64

3

$APPDATA/v...tp.dll

windows7-x64

3

$APPDATA/v...tp.dll

windows10-2004-x64

3

$APPDATA/v...en.dll

windows7-x64

3

$APPDATA/v...en.dll

windows10-2004-x64

3

$TEMP/AnaMetaphor.dll

windows7-x64

3

$TEMP/AnaMetaphor.dll

windows10-2004-x64

3

$TEMP/dev6...60.dll

windows7-x64

1

$TEMP/dev6...60.dll

windows10-2004-x64

1

$TEMP/dev6...ib.dll

windows7-x64

1

$TEMP/dev6...ib.dll

windows10-2004-x64

1

$TEMP/dev6...MA.dll

windows7-x64

3

$TEMP/dev6...MA.dll

windows10-2004-x64

3

$TEMP/dev6...lp.dll

windows7-x64

1

$TEMP/dev6...lp.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    7s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Statement_pdf.exe

  • Size

    270KB

  • MD5

    39abbc28a33d027111f5060e68a11548

  • SHA1

    33da5d497407b8f03f6208a9fbb05b5c0a394722

  • SHA256

    574a393b16055b44e6c6baeb608506f58375d8792c0c1b88ba0b2b2e6c5dbd72

  • SHA512

    d6aa566a5908b479c54af16ffe1c92b9457a893fc406230bce1109c35eeccd46f5c69fdd8fa97bdaa4f1f8e5d675ca087a5cfa0fec5488be68341c6689e09b6c

  • SSDEEP

    6144:dPCganNMO9M4ATBeH5LM13bRmLLtLM85YOw5TBN/Ysi8dDK:DanaO9yeLM1ALhLM8TyTL/Ys94

Score
10/10
lokibotdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://egamcorps.ga/~zadmin/lmark/gld/mode.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank Statement_pdf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4948
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe AnaMetaphor,Pretor
      2⤵
        PID:4792
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
            PID:5020
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
              PID:3972
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              3⤵
                PID:2944
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                  PID:2032
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                    PID:3204
                  • C:\Windows\SysWOW64\notepad.exe
                    "C:\Windows\system32\notepad.exe"
                    3⤵
                      PID:2088
                    • C:\Windows\SysWOW64\notepad.exe
                      "C:\Windows\system32\notepad.exe"
                      3⤵
                        PID:2128

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\AnaMetaphor.DLL
                    Filesize

                    19KB

                    MD5

                    eca4d3581bfee01fbbdfab46e73b8afb

                    SHA1

                    38b63ea322bd5f9b5ca14046a42f7ee25cf357d1

                    SHA256

                    2d4b4f73706eb3753f57ecf1e83e4ae68b8c07c72fe64a2aa2b0d80e5f64b7b3

                    SHA512

                    ef2f552f5216775aae85ac0835a7eb34498825e64961eb614a6728f76eaaef3e4ae36a847d0f7cfc30cce1b5c03e1521de93e1801db0a171dafbfbd73be66c20

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Chair
                    Filesize

                    162KB

                    MD5

                    a2229da77577e374ce4ef2bb3708352e

                    SHA1

                    3b5950ecf7b7eee7d0dceb9b5f0ce62b1c1ee6cd

                    SHA256

                    220a5e026b1d107d671570c1d952a9e34f4fe67544eb5df4ccf3c12c140e079c

                    SHA512

                    5c2d37488733e39ed01e94df26b84e518dfe688efe9518bb5cc78dc38049db8a4b8ebe41c69e8ceead4e1535255ad0af213a589be051073a6deb0bfd30e2c4a6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3419463127-3903270268-2580331543-1000\0f5007522459c86e95ffcc62f32308f1_da80f27c-12da-4232-b66b-1e1207d248ba
                    Filesize

                    46B

                    MD5

                    d898504a722bff1524134c6ab6a5eaa5

                    SHA1

                    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

                    SHA256

                    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

                    SHA512

                    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3419463127-3903270268-2580331543-1000\0f5007522459c86e95ffcc62f32308f1_da80f27c-12da-4232-b66b-1e1207d248ba
                    Filesize

                    46B

                    MD5

                    c07225d4e7d01d31042965f048728a0a

                    SHA1

                    69d70b340fd9f44c89adb9a2278df84faa9906b7

                    SHA256

                    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

                    SHA512

                    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

                    Download Submit

                  • memory/2128-28-0x0000000000400000-0x00000000004A2000-memory.dmp

                    Filesize

                    648KB

                    Download

                  • memory/4792-25-0x00000000012D0000-0x00000000012D2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/4792-27-0x0000000076250000-0x00000000762B3000-memory.dmp

                    Filesize

                    396KB

                    Download

                  • memory/4792-26-0x0000000074020000-0x00000000740E8000-memory.dmp

                    Filesize

                    800KB

                    Download

                  • memory/4792-29-0x0000000074020000-0x00000000740E8000-memory.dmp

                    Filesize

                    800KB

                    Download