Analysis
-
max time kernel
100s -
max time network
94s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 13:08
Static task
static1
Behavioral task
behavioral1
Sample
Environmental.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
Environmental.exe
-
Size
318KB
-
MD5
97d9322c14fac9b4108802d14e5c051e
-
SHA1
be0e39b06d8866856d4a6422cdaa9a930d3be31d
-
SHA256
6a0b4f1e0d5b23e24597133b512d6b530cec42a5afbb619ea6d842c242207d16
-
SHA512
4401c2023ac7ac7c21a425705f77a7979e70f963f96d64f36f53106f61a76efcddd08271157baa48dc52b716e8c4cd90bd9470288811e315c440fb44fb62ee99
Malware Config
Extracted
Family
lokibot
C2
http://bobbyfile.ml/Bobby/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Environmental.exedescription pid process target process PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe PID 1500 wrote to memory of 1816 1500 Environmental.exe Environmental.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Environmental.exedescription pid process target process PID 1500 set thread context of 1816 1500 Environmental.exe Environmental.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Environmental.exedescription pid process Token: SeDebugPrivilege 1816 Environmental.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Environmental.exepid process 1816 Environmental.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"C:\Users\Admin\AppData\Local\Temp\Environmental.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Environmental.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself