Analysis
-
max time kernel
58s -
max time network
69s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 12:11
Static task
static1
Behavioral task
behavioral1
Sample
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe
Resource
win7
General
-
Target
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe
-
Size
607KB
-
MD5
05e06166f7767f1c3d34ad3e4ab3009f
-
SHA1
a7eaac1d28e5453cfb594977df91ee24ce357195
-
SHA256
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8
-
SHA512
f902f9819ba394c2e39b281e159441f6cda6275984bd311971674af991b09ca8797ae9ee32c2e9649641558b2521b18ddb012429f15d91395e498df214517a00
Malware Config
Extracted
lokibot
http://195.69.140.147/.op/cr.php/u1DEZ4oVQPK3w
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exepid process 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exedescription pid process target process PID 1424 wrote to memory of 1536 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe PID 1424 wrote to memory of 1536 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe PID 1424 wrote to memory of 1536 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe PID 1424 wrote to memory of 1536 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exepid process 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exedescription pid process target process PID 1424 set thread context of 1536 1424 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exedescription pid process Token: SeDebugPrivilege 1536 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exepid process 1536 3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe"C:\Users\Admin\AppData\Local\Temp\3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe"C:\Users\Admin\AppData\Local\Temp\3c4ed32a41025d81f99706a778597aa3dcef8034e81746e04ef197f37e7a25e8.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1536