Loki-Bot from malspam .iso
Files:
File name: GMT_20190319060920563.com.exe
MD5: 3902567752c57bf36107a01990a5cc92
SHA256: 5986a088e86b2d169b3234aadf47ecddce1b8ac24e050b1423ef14ed5f06e609
Filesize: 446464 bytes
File name: GMT_20190319060920563.iso
MD5: c2dbe612409ef3dffded940c99cdac66
SHA256: 660e9d2de6f0223c50dfdfe512984f6a8f8400facebbca62db941a2566672458
Filesize: 507904 bytes
File name: objectfrabjous.exe
MD5: 89ca09b33506f659a39f8bed88103d55
SHA256: b70a7ef290cca5af3631d40e4253dd53ee8da6c8a32fe3a2e563ca27c88932b6
Filesize: 446464 bytes
File name: objectfrabjous.vbs
MD5: 33a60c46d369c821118edd398c45f949
SHA256: 42bc0ecf7ed5710d8c7417b19c6605c7c6cec2d6b43e9f765922bde1f3bb1339
Filesize: 110 bytes
URLs:
hxxp://gentography[.]ml/david/Panel/five/fre.php
hxxp://gentography[.]ml/david/Panel/five/PvqDq929BSx_A_D_M1n_a.php
IPs:
104.27.191.40 (cloudflare)
Details:
This sample caught my eye as it has similar exploit behavior to the REMCOS Rat I analyzed previously; a malicious process with an autostart registry key -> vbs persistence combo.
The attack begins as an .iso attached to malspam, with an exe inside (again, why would you send an iso file to users who are likely to not be able to open it??? I suppose Win8 and Win10 are becoming more prevalent):
When run, the .exe is fairly calm:
Though you can see via the ProcDOT graph that there is more going on behind the scenes:
The .com.exe file generates a new process "objectfrabjous.exe" along with a vbs script file for persistence. It weakens several internet security settings and sets a regkey that will run the vbs script on system startup:
It also touches win.ini, which, according to my research, is another persistence mechanism. However, I did not see any entries that stood out to me in that file:
Taking a dive into strings there are several entries that jump out at me that are commonly associated with the Loki-Bot info stealer:
Use of the the Mozilla/4.08 (Charon; Inferno) user agent:
And of course, the C2, which uses "fre.php" in most infections:
From strings you can also get a good idea about what Loki-Bot is attempting to steal:
Browser credentials, email credentials, and even a little bit of NETGATE and Apple mixed in.
"fre.php" is the common C2 traffic indicator for Loki-Bot, and you can often find the login panel on the C2 site. Now with CAPTCHA! To defend against.. bots... stealing your bot?:
File name: GMT_20190319060920563.com.exe
MD5: 3902567752c57bf36107a01990a5cc92
SHA256: 5986a088e86b2d169b3234aadf47ecddce1b8ac24e050b1423ef14ed5f06e609
Filesize: 446464 bytes
File name: GMT_20190319060920563.iso
MD5: c2dbe612409ef3dffded940c99cdac66
SHA256: 660e9d2de6f0223c50dfdfe512984f6a8f8400facebbca62db941a2566672458
Filesize: 507904 bytes
File name: objectfrabjous.exe
MD5: 89ca09b33506f659a39f8bed88103d55
SHA256: b70a7ef290cca5af3631d40e4253dd53ee8da6c8a32fe3a2e563ca27c88932b6
Filesize: 446464 bytes
File name: objectfrabjous.vbs
MD5: 33a60c46d369c821118edd398c45f949
SHA256: 42bc0ecf7ed5710d8c7417b19c6605c7c6cec2d6b43e9f765922bde1f3bb1339
Filesize: 110 bytes
Download (password: malware)
hxxp://gentography[.]ml/david/Panel/five/fre.php
hxxp://gentography[.]ml/david/Panel/five/PvqDq929BSx_A_D_M1n_a.php
IPs:
104.27.191.40 (cloudflare)
Details:
This sample caught my eye as it has similar exploit behavior to the REMCOS Rat I analyzed previously; a malicious process with an autostart registry key -> vbs persistence combo.
The attack begins as an .iso attached to malspam, with an exe inside (again, why would you send an iso file to users who are likely to not be able to open it??? I suppose Win8 and Win10 are becoming more prevalent):
When run, the .exe is fairly calm:
Though you can see via the ProcDOT graph that there is more going on behind the scenes:
The .com.exe file generates a new process "objectfrabjous.exe" along with a vbs script file for persistence. It weakens several internet security settings and sets a regkey that will run the vbs script on system startup:
It also touches win.ini, which, according to my research, is another persistence mechanism. However, I did not see any entries that stood out to me in that file:
Taking a dive into strings there are several entries that jump out at me that are commonly associated with the Loki-Bot info stealer:
References to aPLib (thanks Joergen):
Use of the the Mozilla/4.08 (Charon; Inferno) user agent:
And of course, the C2, which uses "fre.php" in most infections:
From strings you can also get a good idea about what Loki-Bot is attempting to steal:
"fre.php" is the common C2 traffic indicator for Loki-Bot, and you can often find the login panel on the C2 site. Now with CAPTCHA! To defend against.. bots... stealing your bot?:
Comments
Post a Comment