Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
Purchase order.exe
-
Size
314KB
-
MD5
329e5766ebd9bbca8a790ee427e6a8a5
-
SHA1
991d19b31d93f4e8a572ef79307921f33b7d8dab
-
SHA256
e7eb633b0bc14a4fee184364a31783aab035800613f4dde15a84f87243cf9879
-
SHA512
21158e909e82cedd662506e0279113450678d4e1954cdb104ef0b2d3f5df7fbf5370d6bab12607a14c0300640f866d879ad8d80fc950962c3c4ee187f93e8ead
Malware Config
Extracted
Family
lokibot
C2
http://slimfile.cf/Slim/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Purchase order.exedescription pid process target process PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe PID 1496 wrote to memory of 280 1496 Purchase order.exe Purchase order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase order.exedescription pid process target process PID 1496 set thread context of 280 1496 Purchase order.exe Purchase order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase order.exedescription pid process Token: SeDebugPrivilege 280 Purchase order.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Purchase order.exepid process 280 Purchase order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself