Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 09:26
Static task
static1
Behavioral task
behavioral1
Sample
KHFOPL.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
KHFOPL.exe
Resource
win10
General
-
Target
KHFOPL.exe
-
Size
329KB
-
MD5
bbea4121c22c72511cd75c29fc4f2dcd
-
SHA1
89a363f16b4357c82a9d5c280a6d1c970a936f28
-
SHA256
a550b01785417d0c802740cb128aa26d4415414458b87877b634bed5c2694ad5
-
SHA512
cd1fd7e1555c6844cb7e38d3f5962a33f4eb08ab1459c4f29ebe69d0feb5946e0f3a06136bca923e30bc2943000b8cfdde26b523694020b267e1fb716abfc81e
Malware Config
Extracted
lokibot
http://104.223.143.234/coconut/Panel/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
KHFOPL.exedescription pid process target process PID 1040 set thread context of 1980 1040 KHFOPL.exe KHFOPL.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
KHFOPL.exepid process 1980 KHFOPL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KHFOPL.exeKHFOPL.exedescription pid process Token: SeDebugPrivilege 1040 KHFOPL.exe Token: SeDebugPrivilege 1980 KHFOPL.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KHFOPL.exepid process 1040 KHFOPL.exe 1040 KHFOPL.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
KHFOPL.exedescription pid process target process PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe PID 1040 wrote to memory of 1980 1040 KHFOPL.exe KHFOPL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KHFOPL.exe"C:\Users\Admin\AppData\Local\Temp\KHFOPL.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KHFOPL.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken