Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:35
Static task
static1
Behavioral task
behavioral1
Sample
whitty.exe
Resource
win7
Behavioral task
behavioral2
Sample
whitty.exe
Resource
win10v200430
General
-
Target
whitty.exe
-
Size
154KB
-
MD5
2e107acd5b8ed0e66c5fee0513ace7c1
-
SHA1
94fc8fd5e841283747390f80583392dc85f845bb
-
SHA256
57e052aa747095c82cdc7e459d734e98bf1dde6853d94f2b1179f47b30ddcdad
-
SHA512
93d27f39f10a4c5c27adba3e1bd06a2189d36d2bf8e3250585733ec80d7d783daa09e5c9ea2264a4458adc972b4ef702736058b45e9e38ac064c341c535bed26
Malware Config
Extracted
lokibot
http://79.124.8.8/plesk-site-preview/akinsab.ru/http/79.124.8.8/whitty/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
whitty.exewhitty.exedescription pid process Token: SeDebugPrivilege 1460 whitty.exe Token: SeDebugPrivilege 292 whitty.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
whitty.exepid process 1460 whitty.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
whitty.exedescription pid process target process PID 1460 set thread context of 292 1460 whitty.exe whitty.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
whitty.exepid process 292 whitty.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
whitty.exedescription pid process target process PID 1460 wrote to memory of 788 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 788 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 788 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 788 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe PID 1460 wrote to memory of 292 1460 whitty.exe whitty.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\whitty.exe"C:\Users\Admin\AppData\Local\Temp\whitty.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\whitty.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\whitty.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself