General
-
Target
win32.exe
-
Size
264KB
-
Sample
200908-nczeywwlb2
-
MD5
aee8a4f7de7a199cc9a7d5cfbc3e11d9
-
SHA1
cd6c91aa00c6cf69573fb156198b6afb44a5a6e6
-
SHA256
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
-
SHA512
7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e
Static task
static1
Behavioral task
behavioral1
Sample
win32.exe
Resource
win7
Malware Config
Extracted
lokibot
http://joovy.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
formbook
http://www.artiyonq.com/pw9/
applephone.red
bureauxfashion.com
05044444.com
newmarketingideas.net
7754y.com
976life.com
rilio.realty
amandakohar.com
003manbetx.com
tomtomxl.com
pulse-group.com
qdhtdzj.com
desitebuilder.com
ivymaephotography.info
sgpoloclub.com
aaeventsshop.com
mobilesant.com
lewismobilewelding.com
firefromthearchives.com
printathomeparties.com
plantifullye.com
89oduy.com
agreetohealth.com
hairdesignworks.win
lasvegaslocalseo.com
njadjunctfaculty.com
splitpredictor.com
woomi.net
salaryforlive.com
managealert.com
99centvillagepizza.com
aryaroselondon.com
vyberent.com
synkamc.com
sastanci.com
hawaiimarinetourism.com
234manbetx.com
diadez.com
laundryxperts.com
whitefishdigitalmarketing.com
mnceh.net
dalonfood.com
bjthxkm.com
csichurchdublin.com
viceeducated.com
yihaomingshi.com
distributorwatermeter.com
chocolate-tv.com
2857352.com
erikahealth.info
cymeditour.com
simplicimo.com
ceddicedced.net
vinbike.net
vadsbomjolk.biz
cnxianhuo8.com
serviceacmadiun.com
ha-sd.com
200809.top
tributemyfantasy.com
mamarandian.com
pepephotos.com
ablecitymovers.com
ligaturemuzyk.com
Targets
-
-
Target
win32.exe
-
Size
264KB
-
MD5
aee8a4f7de7a199cc9a7d5cfbc3e11d9
-
SHA1
cd6c91aa00c6cf69573fb156198b6afb44a5a6e6
-
SHA256
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
-
SHA512
7fefe7d493b1fc2a51db5d1e53fc0b59629f0aa982169a87378d0880d10dc051f337a0d3fb2cefb73a6a546d8910c189aa5cdd9539489db22c34e68f7b0c972e
-
Modifies firewall policy service
-
Formbook Payload
-
ServiceHost packer
Detects ServiceHost packer used for .NET malware
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Sets file execution options in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-