Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 06:31
Static task
static1
Behavioral task
behavioral1
Sample
chandler.exe
Resource
win7
Behavioral task
behavioral2
Sample
chandler.exe
Resource
win10v200430
General
-
Target
chandler.exe
-
Size
557KB
-
MD5
b6208e7fb38b62395df0e67eaa2d1396
-
SHA1
890f78b07e048833ef23a23c85774ad81fd62cca
-
SHA256
0ff038b8766060a9271421332d144e11a9d2c7001375551dae3f3c195a33fbf7
-
SHA512
d2ec681c166ab436761c8a762ec8eb9270f6322d5627c0784aabb19b3d5822b202baafa7320548275c8071d96169b40ee784fab8f8f39214f129daca65ccd670
Malware Config
Extracted
lokibot
http://mecharnise.ir/ea7/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
chandler.exedescription pid process target process PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe PID 1492 wrote to memory of 740 1492 chandler.exe chandler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chandler.exedescription pid process target process PID 1492 set thread context of 740 1492 chandler.exe chandler.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chandler.exedescription pid process Token: SeDebugPrivilege 740 chandler.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
chandler.exepid process 740 chandler.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chandler.exe"C:\Users\Admin\AppData\Local\Temp\chandler.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\chandler.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:740