Analysis
-
max time kernel
97s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 12:11
Static task
static1
Behavioral task
behavioral1
Sample
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
Resource
win7v200430
General
-
Target
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe
-
Size
646KB
-
MD5
326f92541289d653456900e9b7afb9ec
-
SHA1
4566b6195e555853703d1ea628f6ca828033e658
-
SHA256
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb
-
SHA512
08ff3c75dc1d45e1d8d1c7cf00485698ac21b34a5c29ecdca12949d419caabde58071d45b9fc22cd468a829ce1f3a795ced62d1021f0ddc8025720918aea84a1
Malware Config
Extracted
lokibot
http://t-mk.me/blessed/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exedescription pid process target process PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe PID 3684 wrote to memory of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exedescription pid process target process PID 3684 set thread context of 3384 3684 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exedescription pid process Token: SeDebugPrivilege 3384 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exepid process 3384 5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe"C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:3384