Analysis
-
max time kernel
137s -
max time network
134s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
23/05/2020, 00:15
General
-
Target
9ab847e59a12e75b3e2851298a8f0aa0d79b5865cf03956b65828631dfd3f974.exe
-
Size
1.1MB
-
MD5
414a1c0b1a1cbc5e902b619f2b6906c3
-
SHA1
69f04a882ef1317757362792c52de5d02f321440
-
SHA256
9ab847e59a12e75b3e2851298a8f0aa0d79b5865cf03956b65828631dfd3f974
-
SHA512
fee97534ad80f270bde7cbabcd994d4656b1be537ed46a635f879fe9417ca70d17c26f0692b3385fe7874a0bba4c4d983efd639d9d957eba5195dad4b0a67e93
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://zangs.ga/choolee/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab847e59a12e75b3e2851298a8f0aa0d79b5865cf03956b65828631dfd3f974.exe"C:\Users\Admin\AppData\Local\Temp\9ab847e59a12e75b3e2851298a8f0aa0d79b5865cf03956b65828631dfd3f974.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB