lobshot | 15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HVNC.exe
Size

96KB
MD5

9315eb6ecab91d17c13e8e12c850fd1a
SHA1

412eed3de0dd1714b4b27d77dec8d653e6d604cf
SHA256

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228
SHA512

c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216
SSDEEP

1536:QX1tIEY/6mS2I4bD7jrFgkfTeXslrYNJJpnPEqQFXB00Gdhp4VjlK+I/QX205eBj:QX1tIM2IOXjdfTeXsirnPgu4PK+Iocc

Score

10^/10

lobshot backdoor persistence

Malware Config

Signatures

Detects Lobshot family 3 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000126b6-62.dat	family_lobshot
behavioral1/files/0x000a0000000126b6-63.dat	family_lobshot
behavioral1/files/0x000a0000000126b6-64.dat	family_lobshot

Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot

Deletes itself 1 IoCs

pid	Process
1236	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1452	service.exe

Loads dropped DLL 1 IoCs

pid	Process
1236	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	HVNC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1204	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1380	HVNC.exe
1452	service.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1236	1380	HVNC.exe	28
PID 1380 wrote to memory of 1236	1380	HVNC.exe	28
PID 1380 wrote to memory of 1236	1380	HVNC.exe	28
PID 1380 wrote to memory of 1236	1380	HVNC.exe	28
PID 1236 wrote to memory of 1204	1236	cmd.exe	30
PID 1236 wrote to memory of 1204	1236	cmd.exe	30
PID 1236 wrote to memory of 1204	1236	cmd.exe	30
PID 1236 wrote to memory of 1204	1236	cmd.exe	30
PID 1236 wrote to memory of 1452	1236	cmd.exe	31
PID 1236 wrote to memory of 1452	1236	cmd.exe	31
PID 1236 wrote to memory of 1452	1236	cmd.exe	31
PID 1236 wrote to memory of 1452	1236	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\HVNC.exe
"C:\Users\Admin\AppData\Local\Temp\HVNC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\HVNC.exe") & (start "" "C:\ProgramData\service.exe")
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1204
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cln_log.txt

Filesize
350B

MD5
64d673a159a25f63b8502c8e3b20bc71

SHA1
cdc577c78ac69fa827eaafc6240d492b70c685f6

SHA256
e96c1bc5453258fb4d1fc773b195f6540ff110e62ddf40c15a4cb2949f588614

SHA512
aafc3d46369ed4ba9dae3feaa5a3e127a501fd342f2d9851a10581910f1d3fc6c4e549542b1bb38724edc6c9e51cdac3fea917efee4622646afc5e000c45d5e1

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit