Analysis
-
max time kernel
145s -
max time network
132s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
eb10f63dfbef8562e34771e306f52c8a.exe
Resource
win7
General
-
Target
eb10f63dfbef8562e34771e306f52c8a.exe
-
Size
100KB
-
MD5
eb10f63dfbef8562e34771e306f52c8a
-
SHA1
daad8c52400fbdcec0a1f8365d3a061087ada11d
-
SHA256
b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a
-
SHA512
a426eb862442ea9b92d927df935fc49ccffa3f965be9493cedda03c6a4d2c0d7361073d10a431b9f012e1adca867b8f3e161e291fe0c4372beb84dfe70968219
Malware Config
Extracted
lokibot
http://104.223.143.234/coconut/Panel/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exevbc.exedescription pid process Token: SeDebugPrivilege 500 eb10f63dfbef8562e34771e306f52c8a.exe Token: SeDebugPrivilege 672 vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exepid process 500 eb10f63dfbef8562e34771e306f52c8a.exe 500 eb10f63dfbef8562e34771e306f52c8a.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exedescription pid process target process PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe PID 500 wrote to memory of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
eb10f63dfbef8562e34771e306f52c8a.exedescription pid process target process PID 500 set thread context of 672 500 eb10f63dfbef8562e34771e306f52c8a.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb10f63dfbef8562e34771e306f52c8a.exe"C:\Users\Admin\AppData\Local\Temp\eb10f63dfbef8562e34771e306f52c8a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken