General
-
Target
POE6709000.JS.js
-
Size
2KB
-
Sample
210728-2f76tz27j2
-
MD5
38aed88adfeff1ade7eb881e7974a003
-
SHA1
e2957656134f6fc70a02beac4c28c4865377c9e7
-
SHA256
a01feeb43fac99c6270a8f3b0f3db9de1de8ccaf8edb8e207ed547842fd3cf8d
-
SHA512
65de2bf879e3d801333194a794bbaa9209ea1d76bc96115328688c91c1acede9e352514b88b72171f702686f799c82e2be8e9e83e0da05121690837cf60db03e
Static task
static1
Behavioral task
behavioral1
Sample
POE6709000.JS.js
Resource
win7v20210408
Malware Config
Extracted
lokibot
http://ikloki.xyz/vf/cf/ro.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
POE6709000.JS.js
-
Size
2KB
-
MD5
38aed88adfeff1ade7eb881e7974a003
-
SHA1
e2957656134f6fc70a02beac4c28c4865377c9e7
-
SHA256
a01feeb43fac99c6270a8f3b0f3db9de1de8ccaf8edb8e207ed547842fd3cf8d
-
SHA512
65de2bf879e3d801333194a794bbaa9209ea1d76bc96115328688c91c1acede9e352514b88b72171f702686f799c82e2be8e9e83e0da05121690837cf60db03e
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-