Overview

overview

10

Static

static

10

d39df45e00...23.exe

windows7-x64

10

d39df45e00...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2025, 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d39df45e0030e02f7e5035386244a523.exe

  • Size

    48KB

  • MD5

    d39df45e0030e02f7e5035386244a523

  • SHA1

    9ae72545a0b6004cdab34f56031dc1c8aa146cc9

  • SHA256

    df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

  • SHA512

    69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

  • SSDEEP

    768:RRMOTuQwOYZiyYcpbEzlwF2g9ap4nLBFvpzbHyV6N55IHFKSu87W78aETvqtnqUg:7MOiQwOYZEcKzlwb9u4nLbvpzLy0N55q

Score
10/10
litehttpbotexecutionpersistencestealer

Malware Config

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d39df45e0030e02f7e5035386244a523.exe
    "C:\Users\Admin\AppData\Local\Temp\d39df45e0030e02f7e5035386244a523.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\Ktanb45A\Anubis.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohfdcxey.xxe.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/820-16-0x000001F298FC0000-0x000001F298FE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/820-9-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-10-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-17-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-22-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/820-25-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2108-0-0x00007FFF06BF3000-0x00007FFF06BF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2108-3-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2108-4-0x00007FFF06BF0000-0x00007FFF076B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2108-7-0x000001F1CF4F0000-0x000001F1CFA18000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2108-2-0x000001F1B4D40000-0x000001F1B4D50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2108-1-0x000001F1B49A0000-0x000001F1B49B2000-memory.dmp

    Filesize

    72KB

    Download