Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
e3e5da5bcf5aaf6e54271bef8c39b726.exe
Resource
win7
General
-
Target
e3e5da5bcf5aaf6e54271bef8c39b726.exe
-
Size
100KB
-
MD5
e3e5da5bcf5aaf6e54271bef8c39b726
-
SHA1
82137e8ed973f838e992c09cde4554900c93973b
-
SHA256
15e84355978fd585af794a5aa1b61144a9197d1410219a4e129aca0ce953904d
-
SHA512
119fb0ba6b68a3e6e3e54b8aadfc5f73c53c4b4e15cc4f97320cf37dd24002159a7df8591e16544662f0bfa79045ef8126799ac566c09c2d2035a267eca1f149
Malware Config
Extracted
lokibot
http://104.223.143.234/coconut/Panel/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e3e5da5bcf5aaf6e54271bef8c39b726.exevbc.exedescription pid process Token: SeDebugPrivilege 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe Token: SeDebugPrivilege 816 vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e3e5da5bcf5aaf6e54271bef8c39b726.exepid process 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e3e5da5bcf5aaf6e54271bef8c39b726.exedescription pid process target process PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe PID 584 wrote to memory of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e3e5da5bcf5aaf6e54271bef8c39b726.exedescription pid process target process PID 584 set thread context of 816 584 e3e5da5bcf5aaf6e54271bef8c39b726.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3e5da5bcf5aaf6e54271bef8c39b726.exe"C:\Users\Admin\AppData\Local\Temp\e3e5da5bcf5aaf6e54271bef8c39b726.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken