General
-
Target
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
-
Size
185KB
-
Sample
211202-n9vxxsfhcj
-
MD5
9ff3b37069e0772af03732b022c02789
-
SHA1
ebaa34d6e69a4a33ad40ac64791b5f6366b7be9c
-
SHA256
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b
-
SHA512
a7adfcd88ed04c03a93406eca63824eea8a71dd3471bde3e8217a1c184db064eff90c73a0036bfd36a908f45761454f0344166de6a8e07ee83b57588fffa6dee
Static task
static1
Behavioral task
behavioral1
Sample
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
Resource
win10-en-20211104
Malware Config
Extracted
lokibot
http://63.250.34.171/tickets.php?id=156
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b.exe
-
Size
185KB
-
MD5
9ff3b37069e0772af03732b022c02789
-
SHA1
ebaa34d6e69a4a33ad40ac64791b5f6366b7be9c
-
SHA256
18b734b7b7da572d6ae29aedc5d0105e6b0ad96ba6c9bd100710b147d53f1a3b
-
SHA512
a7adfcd88ed04c03a93406eca63824eea8a71dd3471bde3e8217a1c184db064eff90c73a0036bfd36a908f45761454f0344166de6a8e07ee83b57588fffa6dee
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-