Overview

overview

10

Static

static

1

win32.exe

windows7_x64

10

win32.exe

windows10_x64

10

Resubmissions

08-09-2020 17:20

200908-pgj23a6kq6 10

08-09-2020 07:26

200908-nczeywwlb2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    win32.exe

  • Size

    264KB

  • Sample

    200908-nczeywwlb2

  • MD5

    aee8a4f7de7a199cc9a7d5cfbc3e11d9

  • SHA1

    cd6c91aa00c6cf69573fb156198b6afb44a5a6e6

  • SHA256

    5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886

  • SHA512

    7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e

Score
10/10
betabotformbooklokibotbackdoorbotnetevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://joovy.ga/webxpo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

C2

http://www.artiyonq.com/pw9/

Decoy

applephone.red

bureauxfashion.com

05044444.com

newmarketingideas.net

7754y.com

976life.com

rilio.realty

amandakohar.com

003manbetx.com

tomtomxl.com

pulse-group.com

qdhtdzj.com

desitebuilder.com

ivymaephotography.info

sgpoloclub.com

aaeventsshop.com

mobilesant.com

lewismobilewelding.com

firefromthearchives.com

printathomeparties.com

Targets

    • Target

      win32.exe

    • Size

      264KB

    • MD5

      aee8a4f7de7a199cc9a7d5cfbc3e11d9

    • SHA1

      cd6c91aa00c6cf69573fb156198b6afb44a5a6e6

    • SHA256

      5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886

    • SHA512

      7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e

    Score
    10/10
    spywaretrojanstealerlokibotratformbookevasionbackdoorbotnetbetabotpersistence

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

      trojanbackdoorbotnetbetabot

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Modifies firewall policy service

      evasion

    • Formbook Payload

      rat

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks