General
-
Target
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe
-
Size
197KB
-
Sample
220120-wmvmmsbabr
-
MD5
3553730092aed51702858b9ba64f0ab3
-
SHA1
3adf8943bcc6692b82f5c25d21f040cf182427ad
-
SHA256
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a
-
SHA512
3c03f484b19084d7a5a4622878daabfc5ec089a1ccebbe82f0ea0caad3578ff823e40560ec1f0cbef5353cf77bc8baeb5617ae43c8e187ba996413dfd77b08b9
Static task
static1
Behavioral task
behavioral1
Sample
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
lokibot
http://windowssecuritycheck.gdn/mx/l/frefvdvdvfdfvdf.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a.exe
-
Size
197KB
-
MD5
3553730092aed51702858b9ba64f0ab3
-
SHA1
3adf8943bcc6692b82f5c25d21f040cf182427ad
-
SHA256
fffbbdd6e74f9c941142bf664be3eadaed24626e0a2c33dc7f9bb6ba6707e57a
-
SHA512
3c03f484b19084d7a5a4622878daabfc5ec089a1ccebbe82f0ea0caad3578ff823e40560ec1f0cbef5353cf77bc8baeb5617ae43c8e187ba996413dfd77b08b9
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-