Analysis
-
max time kernel
70s -
max time network
114s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v200430
General
-
Target
gunzipped.exe
-
Size
594KB
-
MD5
daf20ae31ae380066f03d7b90f828735
-
SHA1
10b8fa6f1c261e2bf004ef7a939c3b160e2a53e2
-
SHA256
ffb7ccb5a829c474cf0548ad26fc01c6ddeaa58650faa6ba764c6ab83b0cb268
-
SHA512
42705d44aee3fc72949bbe9ba39d863d7704e141d99f7c75195f05e30903093cdf93c962b2237397109a42eba6938093925c80ad7afeb040ef65764420c7fe32
Malware Config
Extracted
lokibot
http://79.124.8.8/plesk-site-preview/chongelctricals.com/http/79.124.8.8/legend/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gunzipped.exepid process 3832 gunzipped.exe 3832 gunzipped.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
gunzipped.exedescription pid process target process PID 3832 wrote to memory of 3916 3832 gunzipped.exe gunzipped.exe PID 3832 wrote to memory of 3916 3832 gunzipped.exe gunzipped.exe PID 3832 wrote to memory of 3916 3832 gunzipped.exe gunzipped.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gunzipped.exepid process 3832 gunzipped.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 3832 set thread context of 3916 3832 gunzipped.exe gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 3916 gunzipped.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
gunzipped.exepid process 3916 gunzipped.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself