Overview

overview

10

Static

static

10

S7fiTRL.exe

windows7-x64

10

S7fiTRL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2025, 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S7fiTRL.exe

  • Size

    56KB

  • MD5

    c8723bca6d83cbad8cbc75ae323d749d

  • SHA1

    e40e8e84186286495aaff872e74afd6bd9c0aafd

  • SHA256

    6688a94f9872a333a01e925207a7a356dfb8e7083926cd5218a572ec67c2d458

  • SHA512

    28e902f13fbd8cca7cab58df38306d85e62c98eced62e96bffce205a3bdf1f0f411830ed77373905ba6ae040536dc6da188fbdaec1db6f63e97e50e50c5a9700

  • SSDEEP

    1536:DMOiQ4BKCxOhU8WdJmQ/KawN9Qe6cr9bAJZXjof4vLa0:DxizBKCyU8WdJmQ/KawN9/r9bAJZXjiY

Score
10/10
litehttpbotdefense_evasionexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

litehttp

Version

v1.0.10

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

    Adversaries may abuse Verclsid to proxy execution of malicious code.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\S7fiTRL.exe
    "C:\Users\Admin\AppData\Local\Temp\S7fiTRL.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\hi5slJzV\Anubis.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
  • C:\Windows\system32\verclsid.exe
    "C:\Windows\system32\verclsid.exe" /S /C {4A5481A5-BDBE-42AF-A535-1BC65F5DBD34} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
    1⤵
    • System Binary Proxy Execution: Verclsid
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Local\Caches\hi5slJzV\Anubis.exe
    Filesize

    56KB

    MD5

    c8723bca6d83cbad8cbc75ae323d749d

    SHA1

    e40e8e84186286495aaff872e74afd6bd9c0aafd

    SHA256

    6688a94f9872a333a01e925207a7a356dfb8e7083926cd5218a572ec67c2d458

    SHA512

    28e902f13fbd8cca7cab58df38306d85e62c98eced62e96bffce205a3bdf1f0f411830ed77373905ba6ae040536dc6da188fbdaec1db6f63e97e50e50c5a9700

    Download Submit

  • memory/272-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

    Filesize

    4KB

    Download

  • memory/272-1-0x00000000000E0000-0x00000000000F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/272-2-0x0000000000160000-0x0000000000172000-memory.dmp

    Filesize

    72KB

    Download

  • memory/272-3-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/272-4-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

    Filesize

    4KB

    Download

  • memory/272-5-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2904-19-0x00000000029A0000-0x0000000002A20000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2904-20-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2904-21-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download