Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:57
Static task
static1
Behavioral task
behavioral1
Sample
Bank Reciept.exe
Resource
win7
Behavioral task
behavioral2
Sample
Bank Reciept.exe
Resource
win10v200430
General
-
Target
Bank Reciept.exe
-
Size
209KB
-
MD5
0207edc8cf65c2e87d4ce3e72cf4ad1f
-
SHA1
4ddda3e0700098a0dd64c44f78a5e2166b47d395
-
SHA256
a440dca4a1559d04426c05899989e611bd77d55b3fe00713b70e1b4968c8f61b
-
SHA512
a58c79ab3781cc4f2e12a563eb3243fe42ee28ad0838af25a41a50308e8dc246192a8471dc7b1edc8af8d48dd8864daa8531c59d8cdccba9f78c1532df838c79
Malware Config
Extracted
lokibot
http://beckhoff-th.com/kon/kon2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Bank Reciept.exedescription pid process target process PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe PID 1344 wrote to memory of 876 1344 Bank Reciept.exe Bank Reciept.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Reciept.exedescription pid process target process PID 1344 set thread context of 876 1344 Bank Reciept.exe Bank Reciept.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Bank Reciept.exedescription pid process Token: SeDebugPrivilege 876 Bank Reciept.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Bank Reciept.exepid process 876 Bank Reciept.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe"C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Bank Reciept.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself