General
-
Target
Swift1008_pdf.ace
-
Size
510KB
-
Sample
211202-jmc2dacgfn
-
MD5
05ac0d8b864e0db9515e8345bc1e0856
-
SHA1
76da6e7c17d568ae074b7e753d8a7411250b441e
-
SHA256
7105e0d6e6f4313fd5f78f7fff42e83ea09acd42227328b6716aad564288e45a
-
SHA512
4611735496310de8d44dda8758d8fed52443b4a79eff1ffd2eebff5b51fe3684f53a1e04f5967a2d8cc1e0e4db438009056424d03eb555cc2a981c4003b6c2d7
Static task
static1
Behavioral task
behavioral1
Sample
Swift1008_pdf.exe
Resource
win7-en-20211104
Malware Config
Extracted
lokibot
https://noithatcombo.com.vn/.cc/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Swift1008_pdf.exe
-
Size
578KB
-
MD5
e5af04f898b394a134c91d809811aed6
-
SHA1
797dadafd9fde7db95ae65e63531333ad8e128b2
-
SHA256
b00c6e64af8c667452a11c65123c37fdd9efec0eec3e05e1f03bd552edf0d8ea
-
SHA512
4524016d55d99e296249caec2514bc83a125bf0505e11892bdcfb932f345a529a71ff583b8a21f7a5601b231c922abc7959b13135bfb3d68fc12a8a5f90c1604
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-