Analysis
-
max time kernel
125s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
ad511691e78c78c8bf5cb7e31b5e5fe5.exe
Resource
win7
General
-
Target
ad511691e78c78c8bf5cb7e31b5e5fe5.exe
-
Size
1.1MB
-
MD5
ad511691e78c78c8bf5cb7e31b5e5fe5
-
SHA1
a5272e4d8c29769c04a9501d3fef43d60e534796
-
SHA256
8b1e6b21b170c9f30c56b8b600884c31098629e92fabfadf563cdc486ef3c8a0
-
SHA512
221aba69cc0c548b97141be7b0c7d25b4887701868b4a27abb7b4802183e2370341432a22f1605ad28b71a01fd5f1e216f9aeadc09255f03736679e850c891ab
Malware Config
Extracted
lokibot
http://b2bseller.ga/choolee/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
ad511691e78c78c8bf5cb7e31b5e5fe5.exepid process 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ad511691e78c78c8bf5cb7e31b5e5fe5.exedescription pid process target process PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe PID 1100 wrote to memory of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ad511691e78c78c8bf5cb7e31b5e5fe5.exedescription pid process target process PID 1100 set thread context of 1228 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe dllhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 1228 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
ad511691e78c78c8bf5cb7e31b5e5fe5.exepid process 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe 1100 ad511691e78c78c8bf5cb7e31b5e5fe5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad511691e78c78c8bf5cb7e31b5e5fe5.exe"C:\Users\Admin\AppData\Local\Temp\ad511691e78c78c8bf5cb7e31b5e5fe5.exe"1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken