Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v200430
General
-
Target
gunzipped.exe
-
Size
594KB
-
MD5
daf20ae31ae380066f03d7b90f828735
-
SHA1
10b8fa6f1c261e2bf004ef7a939c3b160e2a53e2
-
SHA256
ffb7ccb5a829c474cf0548ad26fc01c6ddeaa58650faa6ba764c6ab83b0cb268
-
SHA512
42705d44aee3fc72949bbe9ba39d863d7704e141d99f7c75195f05e30903093cdf93c962b2237397109a42eba6938093925c80ad7afeb040ef65764420c7fe32
Malware Config
Extracted
lokibot
http://79.124.8.8/plesk-site-preview/chongelctricals.com/http/79.124.8.8/legend/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 1388 set thread context of 1444 1388 gunzipped.exe gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 1444 gunzipped.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gunzipped.exepid process 1444 gunzipped.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
gunzipped.exepid process 1388 gunzipped.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
gunzipped.exedescription pid process target process PID 1388 wrote to memory of 1444 1388 gunzipped.exe gunzipped.exe PID 1388 wrote to memory of 1444 1388 gunzipped.exe gunzipped.exe PID 1388 wrote to memory of 1444 1388 gunzipped.exe gunzipped.exe PID 1388 wrote to memory of 1444 1388 gunzipped.exe gunzipped.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gunzipped.exepid process 1388 gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself