lobshot | 15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/06/2023, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
Size

96KB
MD5

9315eb6ecab91d17c13e8e12c850fd1a
SHA1

412eed3de0dd1714b4b27d77dec8d653e6d604cf
SHA256

15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228
SHA512

c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216
SSDEEP

1536:QX1tIEY/6mS2I4bD7jrFgkfTeXslrYNJJpnPEqQFXB00Gdhp4VjlK+I/QX205eBj:QX1tIM2IOXjdfTeXsirnPgu4PK+Iocc

Score

10^/10

lobshot backdoor persistence

Malware Config

Signatures

Detects Lobshot family 3 IoCs

resource	yara_rule
behavioral1/files/0x00090000000126da-63.dat	family_lobshot
behavioral1/files/0x00090000000126da-64.dat	family_lobshot
behavioral1/files/0x00090000000126da-62.dat	family_lobshot

Lobshot
Lobshot is a backdoor module written in c++.
backdoor lobshot

Deletes itself 1 IoCs

pid	Process
328	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
608	service.exe

Loads dropped DLL 1 IoCs

pid	Process
328	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension = "C:\\ProgramData\\service.exe"	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
284	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
608	service.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 328	284	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	28
PID 284 wrote to memory of 328	284	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	28
PID 284 wrote to memory of 328	284	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	28
PID 284 wrote to memory of 328	284	15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe	28
PID 328 wrote to memory of 976	328	cmd.exe	30
PID 328 wrote to memory of 976	328	cmd.exe	30
PID 328 wrote to memory of 976	328	cmd.exe	30
PID 328 wrote to memory of 976	328	cmd.exe	30
PID 328 wrote to memory of 608	328	cmd.exe	31
PID 328 wrote to memory of 608	328	cmd.exe	31
PID 328 wrote to memory of 608	328	cmd.exe	31
PID 328 wrote to memory of 608	328	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe
"C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c (ping 127.0.0.1) & (del /F /Q "C:\Users\Admin\AppData\Local\Temp\15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228.exe") & (start "" "C:\ProgramData\service.exe")
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:976
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cln_log.txt

Filesize
344B

MD5
47777cfb7cb0f3590b23acc5ef388e94

SHA1
6e7b49866efc6728ca775d649733374bda389146

SHA256
7738b280ad07eaf3a07bdb7532baa7ab8a2e34f7fe528ee1bd77aa857ee18420

SHA512
848a7cc52c3d19d7b3b9863ff56f29759c14e38344975502a246b0067250eacc79cc24b29c2555b0801eedad3c49bb81af22173dc841393bc4423db589dde534

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
C:\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit
\ProgramData\service.exe

Filesize
96KB

MD5
9315eb6ecab91d17c13e8e12c850fd1a

SHA1
412eed3de0dd1714b4b27d77dec8d653e6d604cf

SHA256
15ec54cd2b2605ec8395645fe545204a89ddfe6fef656c98c0578006184d0228

SHA512
c41bd3d7df65388927c5d8a46bcaa5d329741c9e690ef26e3a2a03021949a67ddda01c8f50d78b5faff8c0911ffaae33d3cf891de4b8b28360e3c3726827a216

Download Submit