Overview

overview

10

Static

static

53fcd7145b...eb.exe

windows7-x64

10

53fcd7145b...eb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb

  • Size

    478KB

  • Sample

    220725-zkkansebf3

  • MD5

    27b5a2ae4b7829e5c4a6be8c05f0af66

  • SHA1

    f0a03d7f0aff41e5458436f0241c8a1e59002e76

  • SHA256

    53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb

  • SHA512

    7d2b5a3731f3e38118bc1d25354782e79913e79408439a74d121bef546ab21e60330d9cf73a083bdcf19d20327d5ace3b3261fbb97acbb0318556050b4d917a8

Score
10/10
lokibotsalitybackdoorcollectionevasionspywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Extracted

Family

lokibot

C2

http://mclhk-net.com/hiswounds/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb

    • Size

      478KB

    • MD5

      27b5a2ae4b7829e5c4a6be8c05f0af66

    • SHA1

      f0a03d7f0aff41e5458436f0241c8a1e59002e76

    • SHA256

      53fcd7145bfb3737dc67bff3f7fe79997471c8171328dd10323da5fdb100d2eb

    • SHA512

      7d2b5a3731f3e38118bc1d25354782e79913e79408439a74d121bef546ab21e60330d9cf73a083bdcf19d20327d5ace3b3261fbb97acbb0318556050b4d917a8

    Score
    10/10
    lokibotsalitybackdoorcollectionevasionspywarestealertrojanupx

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Modifies firewall policy service

      evasion

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook profiles

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

3
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

2
T1089

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks