DYNAMIC ANALYSIS REPORT #1173563 Classifications: Spyware Lokibot Mal/HTMLGen-A Trojan.GenericKD.36738116 MALICIOUS Threat Names: Generic.Andromeda.6165138E Gen:Variant.Razy.762033 Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name winlog.exe ID #385568 MD5 36dff976427ac27d7fb7294960ac4092 SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91 SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072 File Size 280.00 KB Report Created 2021-04-19 18:49 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 18 DYNAMIC ANALYSIS REPORT #1173563 OVERVIEW VMRay Threat Identifiers (18 rules, 54 matches) Score Category Operation Count Classification 5/5 YARA Malicious content matched by YARA rules 2 Spyware • Rule "Lokibot" from ruleset "Malware" has matched on a memory dump for (process #1) winlog.exe. • Rule "Lokibot" from ruleset "Malware" has matched on the function strings for (process #1) winlog.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: NCH Classic FTP, FileZilla, Bitvise SSH Client, Opera Mail, NCH Fling, PuTTY, Microsoft Outlook, IncrediMail, KiTTY, WinChips, Pidgin, SecureFX, Internet Explorer / Edge, Pocomail, FTP Navigator, FAR Manager, Total Commander, QtWeb Internet Browser, Trojita, Internet Explorer, BlazeFTP, LinasFTP. 4/5 Reputation Contacts known malicious URL 1 - • Reputation analysis labels the URL "http://eyecos.ga/kung/gate.php" which was contacted by (process #1) winlog.exe as "Mal/HTMLGen-A". 4/5 Reputation Resolves known malicious domain 1 - • Reputation analysis labels the resolved domain "eyecos.ga" as "Mal/HTMLGen-A". 4/5 Antivirus Malicious content was detected by heuristic scan 3 - • Built-in AV detected the sample itself as "Trojan.GenericKD.36738116". • Built-in AV detected a memory dump of (process #1) winlog.exe as "Generic.Andromeda.6165138E". • Built-in AV detected a memory dump of (process #1) winlog.exe as "Gen:Variant.Razy.762033". 3/5 Discovery Reads installed applications 1 Spyware • Reads installed programs by enumerating the SOFTWARE registry key. 2/5 Data Collection Reads sensitive browser data 4 - • (Process #1) winlog.exe tries to read sensitive data of web browser "QtWeb Internet Browser" by registry. • (Process #1) winlog.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry. • (Process #1) winlog.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file. 2/5 Data Collection Reads sensitive application data 5 - • (Process #1) winlog.exe tries to read sensitive data of application "Pidgin" by file. • (Process #1) winlog.exe tries to read sensitive data of application "Bitvise SSH Client" by registry. • (Process #1) winlog.exe tries to read sensitive data of application "KiTTY" by registry. • (Process #1) winlog.exe tries to read sensitive data of application "PuTTY" by registry. • (Process #1) winlog.exe tries to read sensitive data of application "WinChips" by registry. 2/5 Data Collection Reads sensitive ftp data 10 - X-Ray Vision for Malware - www.vmray.com 2 / 18 DYNAMIC ANALYSIS REPORT #1173563 • (Process #1) winlog.exe tries to read sensitive data of ftp application "LinasFTP" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "FileZilla" by file. • (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by file. • (Process #1) winlog.exe tries to read sensitive data of ftp application "BlazeFTP" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "Total Commander" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "FAR Manager" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "SecureFX" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Fling" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "NCH Classic FTP" by registry. • (Process #1) winlog.exe tries to read sensitive data of ftp application "FTP Navigator" by file. 2/5 Data Collection Reads sensitive mail data 5 - • (Process #1) winlog.exe tries to read sensitive data of mail application "Pocomail" by file. • (Process #1) winlog.exe tries to read sensitive data of mail application "IncrediMail" by registry. • (Process #1) winlog.exe tries to read sensitive data of mail application "Opera Mail" by file. • (Process #1) winlog.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry. • (Process #1) winlog.exe tries to read sensitive data of mail application "Trojita" by registry. 2/5 Anti Analysis Delays execution 1 - • (Process #1) winlog.exe has a thread which sleeps more than 5 minutes. 1/5 Discovery Reads system data 1 - • (Process #1) winlog.exe reads the cryptographic machine GUID from registry. 1/5 Mutex Creates mutex 1 - • (Process #1) winlog.exe creates mutex with name "B7274519EDDE9BDC8AE51348". 1/5 Discovery Possibly does reconnaissance 13 - • (Process #1) winlog.exe tries to gather information about application "Mozilla Firefox" by registry. • (Process #1) winlog.exe tries to gather information about application "Comodo IceDragon" by registry. • (Process #1) winlog.exe tries to gather information about application "Safari" by registry. • (Process #1) winlog.exe tries to gather information about application "K-Meleon" by registry. • (Process #1) winlog.exe tries to gather information about application "Mozilla SeaMonkey" by registry. • (Process #1) winlog.exe tries to gather information about application "Mozilla Flock" by registry. • (Process #1) winlog.exe tries to gather information about application "Cyberfox" by registry. • (Process #1) winlog.exe tries to gather information about application "Total Commander" by registry. • (Process #1) winlog.exe tries to gather information about application "Default Programs" by registry. • (Process #1) winlog.exe tries to gather information about application "Bitvise SSH Client" by registry. • (Process #1) winlog.exe tries to gather information about application "SecureFX" by registry. • (Process #1) winlog.exe tries to gather information about application "Postbox" by registry. • (Process #1) winlog.exe tries to gather information about application "Trojita" by registry. 1/5 Privilege Escalation Enables process privilege 1 - • (Process #1) winlog.exe enables process privilege "SeDebugPrivilege". 1/5 Network Connection Performs DNS request 2 - • (Process #1) winlog.exe resolves host name "eyecos.ga" to IP "35.247.234.230". 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 • (Process #1) winlog.exe resolves host name " 97 8B 8B 8F åððñ9Að86ð9Añ9C 90 8C " 98to9E IP94 "-".8A 91 98 98 9E 8B 9A 8F 97 8F 1/5 Network Connection Connects to remote host 1 - • (Process #1) winlog.exe opens an outgoing TCP connection to host "35.247.234.230:80". X-Ray Vision for Malware - www.vmray.com 3 / 18 DYNAMIC ANALYSIS REPORT #1173563 1/5 Obfuscation Resolves API functions dynamically 1 - • (Process #1) winlog.exe resolves 46 API functions by name. - Trusted Known clean file 2 - • File "C:\Users\gsanders\AppData\Roaming\9EDDE9\9BDC8A.lck" is a known clean file. • File "c: \users\gsanders\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1560258661-3990802383-1811730007-1001\0a0eb714d9b6ebd0c6a49a4945de26ad_03845cb8-7441-4a2f-8c 0f-c90408af5778" is a known clean file. Remarks Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "2 hours, 51 minutes" to "20 seconds" to reveal dormant functionality. X-Ray Vision for Malware - www.vmray.com 4 / 18 DYNAMIC ANALYSIS REPORT #1173563 Mitre ATT&CK Matrix Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control #T1082 System - - - - - - - - - - - Information Discovery #T1012 - - - - - - Query - - - - - Registry #T1119 - - - - - - - - Automated - - - Collection #T1214 - - - - - Credentials - - - - - - in Registry #T1005 Data - - - - - - - - from Local - - - System #T1217 Browser - - - - - - - - - - - Bookmark Discovery #T1003 - - - - - Credential - - - - - - Dumping #T1081 - - - - - Credentials - - - - - - in Files #T1083 File and - - - - - - - - - - - Directory Discovery #T1045 - - - - Software - - - - - - - Packing X-Ray Vision for Malware - www.vmray.com 5 / 18 DYNAMIC ANALYSIS REPORT #1173563 Sample Information ID 1173563 MD5 36dff976427ac27d7fb7294960ac4092 SHA1 5b199fd080c210915c6b3c6cdb7ed8d8db119e91 SHA256 5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072 SSDeep 6144:1WkL1Ys1HIRcZbLCaD0YGUaoFP3eNoG0Q+kRuIhbl:4kf1HjnDxasvuT7uul ImpHash 0c1de0d2a8383c4df108890e036a0ae1 Filename winlog.exe File Size 280.00 KB Sample Type Windows Exe (x86-32) Has Macros Analysis Information Creation Time 2021-04-19 18:49 (UTC+2) Analysis Duration 00:03:51 Termination Reason Timeout Number of Monitored Processes 1 Execution Successfull False Reputation Analysis Enabled WHOIS Enabled Built-in AV Enabled Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files Number of AV Matches 17 YARA Enabled YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-