Analysis
-
max time kernel
140s -
max time network
129s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Filled Agreement.exe
Resource
win7v200430
General
-
Target
Filled Agreement.exe
-
Size
680KB
-
MD5
ebb2e201fa781be48767800abcd146be
-
SHA1
d7fcab02d1ec6f78bc0942c55d7bec09d851e64c
-
SHA256
bdcc6a8591676b9d879a02bcd318bfdfa260769433865db3948d929f79b5e1fa
-
SHA512
832e2f735835b22474e83810513ea5242efd3c2243d6d73c14f4785414f258f2695c2b28b61a57a4de5e604c515722721dabf6df841e88653dc23b5a06da4780
Malware Config
Extracted
lokibot
http://sbqlobalfoods.com/rich/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Filled Agreement.exepid process 1396 Filled Agreement.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Filled Agreement.exedescription pid process target process PID 1396 wrote to memory of 1420 1396 Filled Agreement.exe Filled Agreement.exe PID 1396 wrote to memory of 1420 1396 Filled Agreement.exe Filled Agreement.exe PID 1396 wrote to memory of 1420 1396 Filled Agreement.exe Filled Agreement.exe PID 1396 wrote to memory of 1420 1396 Filled Agreement.exe Filled Agreement.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Filled Agreement.exepid process 1396 Filled Agreement.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Filled Agreement.exedescription pid process target process PID 1396 set thread context of 1420 1396 Filled Agreement.exe Filled Agreement.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Filled Agreement.exedescription pid process Token: SeDebugPrivilege 1420 Filled Agreement.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Filled Agreement.exepid process 1420 Filled Agreement.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Filled Agreement.exe"C:\Users\Admin\AppData\Local\Temp\Filled Agreement.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\Filled Agreement.exe"C:\Users\Admin\AppData\Local\Temp\Filled Agreement.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1420