General
-
Target
add582068ab9a1ed7e6ed81dbbcec44ac95334fccf3db1c6ff8df32801599caa
-
Size
992B
-
Sample
210727-w6lhl2vw5a
-
MD5
d55ed0ef6c4f4f49f20ab8d899537305
-
SHA1
32799950eb686078e943154b546d685e95fb9530
-
SHA256
add582068ab9a1ed7e6ed81dbbcec44ac95334fccf3db1c6ff8df32801599caa
-
SHA512
fea31c0466326668014dcad3efee4b8c38a9f291d43e5c72aac87004e5b32451d4c6d350e4142ed54a5e551ef9470b1ce4bcab4d399a5c69619f7b9a188f3da6
Static task
static1
Malware Config
Extracted
lokibot
http://ikloki.xyz/vf/cf/mo.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
EDT0932774733.js
-
Size
2KB
-
MD5
5db667c7131d5b139e1a0d8bbb049776
-
SHA1
463e9819a2bc38907ecc003a2885aef188e69a4d
-
SHA256
1a734745804a9a182e2ec2d86d6e065e720a8d469931a6e8cd48853385237138
-
SHA512
501154d9c45cef0045de2f39a0bbffcbedc012c59698d3e2587b12159d2ee1979576854ded0f8ba57cf9a483bf9a2d3576c21a64341236361afcc2f4ee70c7fd
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-