General
-
Target
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
-
Size
23KB
-
Sample
210118-bnrn4vbzwn
-
MD5
9a1b6f469ae1ed4f63973d0d681bf203
-
SHA1
a3ed922ee5d0f1eca5f44ec35310600334ce89e4
-
SHA256
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
-
SHA512
69057211d2cfb78aff88e49b033a4b2255f45525c8a9daffbc8d6357256e5d0557ea69fdd276a99c7f261b6cca2b8f19337fa09037d5bddfe6ccdd2bc1833495
Static task
static1
Behavioral task
behavioral1
Sample
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
Resource
win7v20201028
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9.exe
-
Size
23KB
-
MD5
9a1b6f469ae1ed4f63973d0d681bf203
-
SHA1
a3ed922ee5d0f1eca5f44ec35310600334ce89e4
-
SHA256
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
-
SHA512
69057211d2cfb78aff88e49b033a4b2255f45525c8a9daffbc8d6357256e5d0557ea69fdd276a99c7f261b6cca2b8f19337fa09037d5bddfe6ccdd2bc1833495
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
6Disabling Security Tools
4Virtualization/Sandbox Evasion
2