Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 06:31
General
-
Target
chandler.exe
-
Size
557KB
-
MD5
b6208e7fb38b62395df0e67eaa2d1396
-
SHA1
890f78b07e048833ef23a23c85774ad81fd62cca
-
SHA256
0ff038b8766060a9271421332d144e11a9d2c7001375551dae3f3c195a33fbf7
-
SHA512
d2ec681c166ab436761c8a762ec8eb9270f6322d5627c0784aabb19b3d5822b202baafa7320548275c8071d96169b40ee784fab8f8f39214f129daca65ccd670
Score
10/10
Malware Config
Extracted
Family
lokibot
C2
http://mecharnise.ir/ea7/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chandler.exe"C:\Users\Admin\AppData\Local\Temp\chandler.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\chandler.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
-
-
Filesize
648KB
-