litehttp | 6688a94f9872a333a01e925207a7a356dfb8e7083926cd5218a572ec67c2d458 | Triage

Sharing

General

Target

S7fiTRL.exe
Size

56KB
Sample

250309-vq4jaawwat
MD5

c8723bca6d83cbad8cbc75ae323d749d
SHA1

e40e8e84186286495aaff872e74afd6bd9c0aafd
SHA256

6688a94f9872a333a01e925207a7a356dfb8e7083926cd5218a572ec67c2d458
SHA512

28e902f13fbd8cca7cab58df38306d85e62c98eced62e96bffce205a3bdf1f0f411830ed77373905ba6ae040536dc6da188fbdaec1db6f63e97e50e50c5a9700
SSDEEP

1536:DMOiQ4BKCxOhU8WdJmQ/KawN9Qe6cr9bAJZXjof4vLa0:DxizBKCyU8WdJmQ/KawN9/r9bAJZXjiY

Score

10^/10

litehttp bot execution persistence privilege_escalation stealer

Malware Config

Extracted

Family

litehttp

Version

v1.0.10

C2

http://185.208.156.162/page.php

Attributes

key
v1d6kd29g85cm8jp4pv8tvflvg303gbl

Targets

- Target
  
  S7fiTRL.exe
- Size
  
  56KB
- MD5
  
  c8723bca6d83cbad8cbc75ae323d749d
- SHA1
  
  e40e8e84186286495aaff872e74afd6bd9c0aafd
- SHA256
  
  6688a94f9872a333a01e925207a7a356dfb8e7083926cd5218a572ec67c2d458
- SHA512
  
  28e902f13fbd8cca7cab58df38306d85e62c98eced62e96bffce205a3bdf1f0f411830ed77373905ba6ae040536dc6da188fbdaec1db6f63e97e50e50c5a9700
- SSDEEP
  
  1536:DMOiQ4BKCxOhU8WdJmQ/KawN9Qe6cr9bAJZXjof4vLa0:DxizBKCyU8WdJmQ/KawN9/r9bAJZXjiY
Score

10^/10

litehttp bot execution persistence privilege_escalation stealer
- LiteHTTP
  LiteHTTP is an open-source bot written in C#.
  stealer bot litehttp
- Litehttp family
  litehttp
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

litehttpbotexecutionpersistenceprivilege_escalationstealer