Analysis
-
max time kernel
128s -
max time network
133s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
eb10f63dfbef8562e34771e306f52c8a.exe
Resource
win7
General
-
Target
eb10f63dfbef8562e34771e306f52c8a.exe
-
Size
100KB
-
MD5
eb10f63dfbef8562e34771e306f52c8a
-
SHA1
daad8c52400fbdcec0a1f8365d3a061087ada11d
-
SHA256
b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a
-
SHA512
a426eb862442ea9b92d927df935fc49ccffa3f965be9493cedda03c6a4d2c0d7361073d10a431b9f012e1adca867b8f3e161e291fe0c4372beb84dfe70968219
Malware Config
Extracted
lokibot
http://104.223.143.234/coconut/Panel/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exevbc.exedescription pid process Token: SeDebugPrivilege 1496 eb10f63dfbef8562e34771e306f52c8a.exe Token: SeDebugPrivilege 904 vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exepid process 1496 eb10f63dfbef8562e34771e306f52c8a.exe 1496 eb10f63dfbef8562e34771e306f52c8a.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exedescription pid process target process PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 1496 wrote to memory of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exedescription pid process target process PID 1496 set thread context of 904 1496 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb10f63dfbef8562e34771e306f52c8a.exe"C:\Users\Admin\AppData\Local\Temp\eb10f63dfbef8562e34771e306f52c8a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken