Overview

overview

10

Static

static

3

79d867daf2...9N.exe

windows7-x64

10

79d867daf2...9N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    79d867daf271b15c4428bebfbd96b81c9fd18dd0f1a545dc183d065c6134f6b9N.exe

  • Size

    728KB

  • Sample

    250116-v9pt8sskfm

  • MD5

    a6436d249124064799aacc9c3a761660

  • SHA1

    1cfd11bc5e30b8042ca6669fadd084952746c3a2

  • SHA256

    79d867daf271b15c4428bebfbd96b81c9fd18dd0f1a545dc183d065c6134f6b9

  • SHA512

    5761b137809bcfced285542cef1bc9421df40fc84e6d652471abaa0f1e10c3106c64869aaddbcdca5148ca091184383801d3d40a8b043933b045231ae96b15a6

  • SSDEEP

    12288:eorh5aElioPvWRJyYBN2wxaVkse5m5+VojH:5t3WR0YB8wxaVkseg8o

Score
10/10
lokibotzgratcollectiondefense_evasiondiscoveryevasionexecutionprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

https://vihaiha.com/.ccb/news/school/boy/choo/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      79d867daf271b15c4428bebfbd96b81c9fd18dd0f1a545dc183d065c6134f6b9N.exe

    • Size

      728KB

    • MD5

      a6436d249124064799aacc9c3a761660

    • SHA1

      1cfd11bc5e30b8042ca6669fadd084952746c3a2

    • SHA256

      79d867daf271b15c4428bebfbd96b81c9fd18dd0f1a545dc183d065c6134f6b9

    • SHA512

      5761b137809bcfced285542cef1bc9421df40fc84e6d652471abaa0f1e10c3106c64869aaddbcdca5148ca091184383801d3d40a8b043933b045231ae96b15a6

    • SSDEEP

      12288:eorh5aElioPvWRJyYBN2wxaVkse5m5+VojH:5t3WR0YB8wxaVkseg8o

    Score
    10/10
    lokibotzgratcollectiondefense_evasiondiscoveryprivilege_escalationratspywarestealertrojanevasionexecution

    • Detect ZGRat V2

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Zgrat family

      zgrat

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

1
T1562

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks