dharma

General

Target

.
Size

146KB
Sample

240408-vp68saef32
MD5

199f2cb418b3bbb67af234b8499c2577
SHA1

8e1d482fc76fe9cfd5f3bc03020ddd234b6403b0
SHA256

801f39a832a874089683a32d34b75d834147658644608cf3fa899f350dad026e
SHA512

996481a21ac91d3c005dfd56074cb67455362586b57a2dbc60d71dbea76a0a75a864e7ca583c9f06b45ac3f27b3f1018284c7577408bf183cff333c5cbeeac7e
SSDEEP

1536:oWkud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DvHhqiS:pkPLFoVsllXmxBHhqiS

Score

10^/10

Malware Config

Extracted

Family

lokibot

C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  .
- Size
  
  146KB
- MD5
  
  199f2cb418b3bbb67af234b8499c2577
- SHA1
  
  8e1d482fc76fe9cfd5f3bc03020ddd234b6403b0
- SHA256
  
  801f39a832a874089683a32d34b75d834147658644608cf3fa899f350dad026e
- SHA512
  
  996481a21ac91d3c005dfd56074cb67455362586b57a2dbc60d71dbea76a0a75a864e7ca583c9f06b45ac3f27b3f1018284c7577408bf183cff333c5cbeeac7e
- SSDEEP
  
  1536:oWkud8LFVMUK4DgnVR4DBllKoVkL30vD9329s4DvHhqiS:pkPLFoVsllXmxBHhqiS
Score

10^/10

dharma lokibot agilenet collection discovery evasion macro macro_on_action persistence ransomware spyware stealer trojan upx
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Renames multiple (650) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Drops file in Drivers directory
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Stops running service(s)
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1