Elastic Security Labs discovers the LOBSHOT malware — Elastic Security Labs
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Masquerading Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Boot Or Logon Autostart Execution - T1547 Clipboard Data - T1414 Data From Local System - T1533 Domains - T1583.001 Domains - T1584.001 Dynamic Api Resolution - T1027.007 Exfiltration Over C2 Channel - T1646 Malvertising - T1583.008 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Rundll32 - T1218.011 Software - T1592.002 Vnc - T1021.005 Tool - T1588.002 Browser Extensions - T1176 Clipboard Data - T1115 Data From Local System - T1005 Exfiltration Over Command And Control Channel - T1041 Masquerading - T1036 Obfuscated Files Or Information - T1027 Registry Run Keys / Start Folder - T1060 Remote Services - T1021 Rundll32 - T1085 System Owner/User Discovery - T1033 Masquerading
Show in Graph
Common Information
Type Value
UUID f8be5d8f-c64e-4637-ba73-cafc4472e8ef
Fingerprint 5a65912a9b104d1
Analysis status DONE
Considered CTI value 1
Text language
Published May 16, 2023, midnight
Added to db Nov. 19, 2023, 6:17 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Elastic Security Labs discovers the LOBSHOT malware
Title Elastic Security Labs discovers the LOBSHOT malware — Elastic Security Labs
Detected Hints/Tags/Attributes 87/3/33
Source URLs
Redirection Url
Details Source https://www.elastic.co/security-labs/elastic-security-labs-discovers-lobshot-malware
URL Provider
Details Provider Source level domain
Details elastic.co www.elastic.co
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 306 Elastic Security Labs https://www.elastic.co/security-labs/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
www.amydecke.website
Details Domain 1 
www.anydesk.com
Details Domain 17 
host.id
Details Domain 18 
user.id
Details Domain 21 
process.parent.name
Details Domain 32 
file.name
Details Domain 55 
process.name
Details Domain 96 
malpedia.caad.fkie.fraunhofer.de
Details Domain 1373 
twitter.com
Details Domain 47 
www.malware-traffic-analysis.net
Details Domain 4 
axieinfinity.com
Details Domain 5 
metamask.io
Details Email 3 
ronin-wallet@axieinfinity.com.xpi
Details Email 6 
webextension@metamask.io.xpi
Details File 1260 
explorer.exe
Details File 1018 
rundll32.exe
Details File 1 
c:\programdata\hmr_1.dat
Details File 1 
lobshot_config_extractor.py
Details File 9 
sample.bin
Details File 49 
process.exe
Details File 12 
parent.exe
Details File 1 
svc.db
Details File 2126 
cmd.exe
Details File 816 
index.html
Details sha256 2 
e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6
Details IPv4 1441 
127.0.0.1
Details IPv4 1 
95.217.125.200
Details Url 1 
https://www.amydecke.website
Details Url 1 
https://www.anydesk.com
Details Url 1 
https://malpedia.caad.fkie.fraunhofer.de/actor/ta505
Details Url 1 
https://twitter.com/wdormann/status/1617612216945250304?s=20
Details Url 1 
https://www.malware-traffic-analysis.net/2023/01/23/index.html
Details Yara rule 1 
rule Windows_Trojan_Lobshot {
	meta:
		author = "Elastic Security"
		creation_date = "2023-04-18"
		last_modified = "2023-04-18"
		license = "Elastic License v2"
		os = "Windows"
		threat_name = "Windows.Trojan.Lobshot"
		reference_sample = "e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6"
	strings:
		$str0 = "HVNC Remote Control" ascii fullword
		$str1 = " Error # %d - lx" ascii fullword
		$str2 = "Set  clipboard text failed." ascii fullword
		$str3 = "OK lx lx %d" ascii fullword
		$str4 = "\") & (rundll32.exe \"" wide fullword
		$str5 = "%LOCALAPPDATA%\\svc.db" wide fullword
		$str6 = "cmd.exe /c (ping -n 10 127.0.0.1) & (del /F /Q \"" wide fullword
		$seq_str_decrypt = { 8A 5A ?? 8D 52 ?? 80 EB ?? 85 FF 74 ?? C0 E0 ?? 2C ?? 0A C3 32 C1 32 C7 88 06 32 E8 83 C6 ?? 83 C5 ?? EB ?? }
		$seq_emu_check = { 8B 35 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 44 24 ?? C7 44 24 ?? 48 41 4C 39 50 C7 44 24 ?? 54 48 00 00 FF D6 }
		$seq_enum_xor = { FF 15 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? 83 7C 24 ?? 00 0F 84 ?? ?? ?? ?? 8B 4C 24 ?? 68 07 80 00 00 8B 41 ?? 8A 00 32 01 A2 ?? ?? ?? ?? }
		$seq_create_guid = { 8D 48 ?? 80 F9 ?? 77 ?? 2C ?? C1 E2 ?? 46 0F B6 C8 0B D1 83 FE ?? 7C ?? 5F 8B C2 5E C3 }
	condition:
		2 of ($seq*) or 5 of ($str*)
}