Analysis
-
max time kernel
98s -
max time network
104s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:09
Static task
static1
Behavioral task
behavioral1
Sample
(2020.07.13.exe
Resource
win7
Behavioral task
behavioral2
Sample
(2020.07.13.exe
Resource
win10v200430
General
-
Target
(2020.07.13.exe
-
Size
154KB
-
MD5
d8ac268c14e3fec94e2e5d8b4bcb2b10
-
SHA1
e35f41e58941b087e60e861067bbe98673b98185
-
SHA256
edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727
-
SHA512
c316d05bf2ddf3af51fc051f2ecfa1e422894003a16b6301f10ff7ea05aff7c9bb889b4d5ceb7f9343ea4c532a79f7774dd212e764e2119fc5ebad4941f4e5e7
Malware Config
Extracted
lokibot
http://79.124.8.8/plesk-site-preview/akinsab.ru/http/79.124.8.8/lento/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
(2020.07.13.exedescription pid process target process PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe PID 1496 wrote to memory of 1848 1496 (2020.07.13.exe (2020.07.13.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
(2020.07.13.exedescription pid process target process PID 1496 set thread context of 1848 1496 (2020.07.13.exe (2020.07.13.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
(2020.07.13.exedescription pid process Token: SeDebugPrivilege 1848 (2020.07.13.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
(2020.07.13.exepid process 1848 (2020.07.13.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\(2020.07.13.exe"C:\Users\Admin\AppData\Local\Temp\(2020.07.13.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\(2020.07.13.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself