Analysis
-
max time kernel
109s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
da3789c94460dee34c317f7461236f09.exe
Resource
win7v200430
General
-
Target
da3789c94460dee34c317f7461236f09.exe
-
Size
1.1MB
-
MD5
da3789c94460dee34c317f7461236f09
-
SHA1
3c5d9ea9767cf6e5e128c200cf397bc460891db4
-
SHA256
d2857b888fbab6dc4e36c403e86f39fedee428ba5ed45b28b8f99e59fb93ff58
-
SHA512
dd0b76ade86272eac66286f7c8c28c474853644d0560c66f5463161eb67338cfe59b72b0e10852857057fa97c0f0445e4610896fd2264d8bdade2ccc5c54f77c
Malware Config
Extracted
lokibot
http://104.223.170.102/typour/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
da3789c94460dee34c317f7461236f09.exedescription pid process target process PID 3536 wrote to memory of 2536 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 2536 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 2536 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe PID 3536 wrote to memory of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
da3789c94460dee34c317f7461236f09.exedescription pid process target process PID 3536 set thread context of 3860 3536 da3789c94460dee34c317f7461236f09.exe dllhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 3860 dllhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
da3789c94460dee34c317f7461236f09.exepid process 3536 da3789c94460dee34c317f7461236f09.exe 3536 da3789c94460dee34c317f7461236f09.exe 3536 da3789c94460dee34c317f7461236f09.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
da3789c94460dee34c317f7461236f09.exepid process 3536 da3789c94460dee34c317f7461236f09.exe 3536 da3789c94460dee34c317f7461236f09.exe 3536 da3789c94460dee34c317f7461236f09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da3789c94460dee34c317f7461236f09.exe"C:\Users\Admin\AppData\Local\Temp\da3789c94460dee34c317f7461236f09.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken