General
-
Target
RFQ-IOCL-PP-IN-301.exe
-
Size
537KB
-
Sample
210503-ycxyelfk5j
-
MD5
28e20b5b3364fd35e295e55739159f55
-
SHA1
2889f9100a67cf9897f3d2a3008faae0d21c1380
-
SHA256
df07fc647c48c2ffeed6649fd82dd9ea0c51a0157f397b625bc4cc54f1609ee1
-
SHA512
0cf6094bf41a999b1c4318789e2d952ca4e6b5e93efe5a0a3b146c369a6fb427a2a8e5ca005b1b49d281567cd9af44106e4f058f847501d73c9b809faf655bf8
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-IOCL-PP-IN-301.exe
Resource
win7v20210408
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
RFQ-IOCL-PP-IN-301.exe
-
Size
537KB
-
MD5
28e20b5b3364fd35e295e55739159f55
-
SHA1
2889f9100a67cf9897f3d2a3008faae0d21c1380
-
SHA256
df07fc647c48c2ffeed6649fd82dd9ea0c51a0157f397b625bc4cc54f1609ee1
-
SHA512
0cf6094bf41a999b1c4318789e2d952ca4e6b5e93efe5a0a3b146c369a6fb427a2a8e5ca005b1b49d281567cd9af44106e4f058f847501d73c9b809faf655bf8
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-