General
-
Target
4cea5d8cb3e0a17e942812e31667120a
-
Size
124KB
-
Sample
211019-mr94fsgfaj
-
MD5
4cea5d8cb3e0a17e942812e31667120a
-
SHA1
c526373cc21495053cdf3ff735f10e4f031659b7
-
SHA256
be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
-
SHA512
1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7
Static task
static1
Behavioral task
behavioral1
Sample
4cea5d8cb3e0a17e942812e31667120a.msi
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
4cea5d8cb3e0a17e942812e31667120a.msi
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=6446112
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
4cea5d8cb3e0a17e942812e31667120a
-
Size
124KB
-
MD5
4cea5d8cb3e0a17e942812e31667120a
-
SHA1
c526373cc21495053cdf3ff735f10e4f031659b7
-
SHA256
be4448eb3e5f348051538b82b3e9b63191da49d028e6c5f2b8de4cbc6135c84a
-
SHA512
1eed5b3fa630ca2e4998e5eae400cab82a2e65005107f9bae0ae04a7ed7b32373ffaaf486578acca13bf74c38193e62fbb51da381555fec8d45c10a40cc962f7
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-