Analysis
-
max time kernel
136s -
max time network
54s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 12:11
Static task
static1
Behavioral task
behavioral1
Sample
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe
Resource
win7
General
-
Target
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe
-
Size
610KB
-
MD5
89aaf9fc5bb15426d80ffb8c983f1d14
-
SHA1
3c6f23b048214e07bf6c2a8ca914da6dc23ccb6a
-
SHA256
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6
-
SHA512
9b4602a0c12e20e4aa68f0112ba389ce459fb38890f582f2de81dc1438bd1f678bed528c9db99a2762d0ce2e36ba94ee1a4df4360aa0bb3b2e530b472cf1e907
Malware Config
Extracted
lokibot
http://rostovafile.ga/Colba2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exepid process 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exedescription pid process target process PID 3656 wrote to memory of 3580 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe PID 3656 wrote to memory of 3580 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe PID 3656 wrote to memory of 3580 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exepid process 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exedescription pid process target process PID 3656 set thread context of 3580 3656 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exedescription pid process Token: SeDebugPrivilege 3580 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exepid process 3580 a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe"C:\Users\Admin\AppData\Local\Temp\a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe"C:\Users\Admin\AppData\Local\Temp\a9990e98039ba3491532d56cef0b55982b162a0b67c77eeae8c128a2f98652a6.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:3580