Analysis
-
max time kernel
112s -
max time network
105s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
02-08-2020 05:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe
-
Size
196KB
-
MD5
c8622061c2330af588df35ae3e0d970b
-
SHA1
36bdf9909e56aa37d05fc664286a79fa25b9dbd6
-
SHA256
ed3f7ab84c2988036a63e375a5fc9f98dff31fd2a9597b4eae79604ae622e6cd
-
SHA512
e48007d08efe2ea5b4b5defbbcce78f9219aa16209e2ab4f44403020c58aaba0c8b0acd93c87e40e2595c3a3fe24e124564a1b4ed62caf0debebb8bd858453b6
Malware Config
Extracted
lokibot
http://mecharnise.ir/ea5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exepid process 876 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exedescription pid process target process PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe PID 1420 wrote to memory of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exedescription pid process target process PID 1420 set thread context of 876 1420 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exedescription pid process Token: SeDebugPrivilege 876 SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.52076.22337.3297.exe"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken