Analysis
-
max time kernel
66s -
max time network
63s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 07:05
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quotation.exe
Resource
win7v200430
General
-
Target
Request For Quotation.exe
-
Size
851KB
-
MD5
c1eb65ab319f55bd54b91a4ade3234ab
-
SHA1
2712d7c0a08296ad0f373fce962f2cc07a2fe3ca
-
SHA256
268c70192ec2b0f6d279ee5d946de5dc694a68cb8b27aa991a8de5c87c41dc63
-
SHA512
ee765845fede0d0421cd6c69b19716e8b642edaec1572fb19e0574a8737c50f420afe174f3385fe458f383409a9889faae89bcfdbf7746baa9c9a94ea2f2f9eb
Malware Config
Extracted
lokibot
http://195.69.140.147/.op/cr.php/u1DEZ4oVQPK3w
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Request For Quotation.exepid process 3720 Request For Quotation.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Request For Quotation.exepid process 3536 Request For Quotation.exe 3536 Request For Quotation.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Request For Quotation.exedescription pid process target process PID 3536 wrote to memory of 3720 3536 Request For Quotation.exe Request For Quotation.exe PID 3536 wrote to memory of 3720 3536 Request For Quotation.exe Request For Quotation.exe PID 3536 wrote to memory of 3720 3536 Request For Quotation.exe Request For Quotation.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Request For Quotation.exepid process 3536 Request For Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request For Quotation.exedescription pid process target process PID 3536 set thread context of 3720 3536 Request For Quotation.exe Request For Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request For Quotation.exedescription pid process Token: SeDebugPrivilege 3720 Request For Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quotation.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken