General
-
Target
sample
-
Size
479KB
-
Sample
240412-xk4m7sda76
-
MD5
7623a5f4888348a1470e2c5bbe2e826a
-
SHA1
4f86a2e6585914e77eab7166d159a5e309a0a3e7
-
SHA256
8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e
-
SHA512
7838893132be1b99c2878f689a4685495dfd793ccdc6d303163cb64edf9de28ec58d4c8cfdec2fae4428e58d50dcc4115a51e8e1e6539f880864e7cec283f8f6
-
SSDEEP
6144:7sTibDibtib+ibdibOibcibyibjiblibBkk:7Yi3iJiqipiaiAiGivi5iNkk
Static task
static1
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
sample
-
Size
479KB
-
MD5
7623a5f4888348a1470e2c5bbe2e826a
-
SHA1
4f86a2e6585914e77eab7166d159a5e309a0a3e7
-
SHA256
8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e
-
SHA512
7838893132be1b99c2878f689a4685495dfd793ccdc6d303163cb64edf9de28ec58d4c8cfdec2fae4428e58d50dcc4115a51e8e1e6539f880864e7cec283f8f6
-
SSDEEP
6144:7sTibDibtib+ibdibOibcibyibjiblibBkk:7Yi3iJiqipiaiAiGivi5iNkk
-
Modifies WinLogon for persistence
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5