Analysis
-
max time kernel
128s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-05-2020 00:27
Static task
static1
Behavioral task
behavioral1
Sample
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe
Resource
win7v200430
General
-
Target
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe
-
Size
264KB
-
MD5
9f009726d938fbd19318c882908ae98a
-
SHA1
eabb8d9398d36a126d4354b3ffb3f980670deec5
-
SHA256
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611
-
SHA512
09e83aa63c6bf966ee36f08fb3a4dd80515260ae256f476f6581ad3ac67205dd67b86655bb11385eb85be53028a354798a4bd3a455ae3582a04c54405b8f4f23
Malware Config
Extracted
lokibot
http://adobeaccessfile.cf/Decci3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exedescription pid process target process PID 2040 wrote to memory of 1320 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1320 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1320 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe PID 2040 wrote to memory of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exedescription pid process Token: SeDebugPrivilege 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe Token: SeDebugPrivilege 1404 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exepid process 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exedescription pid process target process PID 2040 set thread context of 1404 2040 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exepid process 1404 6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe"C:\Users\Admin\AppData\Local\Temp\6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\6dddafd7036db55e88949281ab9b5e95610fbea94f25b176c16351fa6e713611.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself