Analysis
-
max time kernel
126s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Árajánlatkérés_UNIDEB2020·pdf.exe
Resource
win7
General
-
Target
Árajánlatkérés_UNIDEB2020·pdf.exe
-
Size
571KB
-
MD5
398ddb284685140f8caf840d4c855bd2
-
SHA1
51dbb676d72f26d9ed94ea0b0ce9df66b14158f0
-
SHA256
a5059c6e3bbd590aa20810ed73f51c22b0140612e59c57a349c463769a6c9236
-
SHA512
ae58226a0217f04a8e20f31b743436ff6522bb7cb296f56169b3266f0a7656da198e748ea2196344fa73872c57dac9d085a027aa420b7386af53f55521b4587d
Malware Config
Extracted
lokibot
http://195.69.140.147/.op/cr.php/GupQqEO3wrefD
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exedescription pid process Token: SeDebugPrivilege 1720 Árajánlatkérés_UNIDEB2020·pdf.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exepid process 1720 Árajánlatkérés_UNIDEB2020·pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exepid process 1624 Árajánlatkérés_UNIDEB2020·pdf.exe 1624 Árajánlatkérés_UNIDEB2020·pdf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exedescription pid process target process PID 1624 wrote to memory of 1720 1624 Árajánlatkérés_UNIDEB2020·pdf.exe Árajánlatkérés_UNIDEB2020·pdf.exe PID 1624 wrote to memory of 1720 1624 Árajánlatkérés_UNIDEB2020·pdf.exe Árajánlatkérés_UNIDEB2020·pdf.exe PID 1624 wrote to memory of 1720 1624 Árajánlatkérés_UNIDEB2020·pdf.exe Árajánlatkérés_UNIDEB2020·pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exepid process 1624 Árajánlatkérés_UNIDEB2020·pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Árajánlatkérés_UNIDEB2020·pdf.exedescription pid process target process PID 1624 set thread context of 1720 1624 Árajánlatkérés_UNIDEB2020·pdf.exe Árajánlatkérés_UNIDEB2020·pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Árajánlatkérés_UNIDEB2020·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Árajánlatkérés_UNIDEB2020·pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\Árajánlatkérés_UNIDEB2020·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Árajánlatkérés_UNIDEB2020·pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1720