Analysis
-
max time kernel
126s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:36
Static task
static1
Behavioral task
behavioral1
Sample
new crypted.exe
Resource
win7
General
-
Target
new crypted.exe
-
Size
599KB
-
MD5
528e2a7d71e7d96e8c8e59d5ebb2bd1c
-
SHA1
54cd335268104d8b22d66a24796050ee48a3ac72
-
SHA256
5f7ea0bdf9b037b2a19d42325085035c419f86d967814bf8f544b8eaa39841eb
-
SHA512
46dd6d165fce867b2e3f3603d6c6ecbd1dd5c48d0a6ae2354fc7edf0254e2d0d6d45574db18731d73d43030322a4421614903049f6aa78aa4e144f783987b2aa
Malware Config
Extracted
lokibot
airmanselectiontest.com/oo/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
new crypted.exepid process 1088 new crypted.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
new crypted.exedescription pid process target process PID 1088 wrote to memory of 1204 1088 new crypted.exe new crypted.exe PID 1088 wrote to memory of 1204 1088 new crypted.exe new crypted.exe PID 1088 wrote to memory of 1204 1088 new crypted.exe new crypted.exe PID 1088 wrote to memory of 1204 1088 new crypted.exe new crypted.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
new crypted.exepid process 1088 new crypted.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new crypted.exedescription pid process target process PID 1088 set thread context of 1204 1088 new crypted.exe new crypted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
new crypted.exedescription pid process Token: SeDebugPrivilege 1204 new crypted.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
new crypted.exepid process 1204 new crypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new crypted.exe"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\new crypted.exe"C:\Users\Admin\AppData\Local\Temp\new crypted.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself