General
-
Target
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961.exe
-
Size
197KB
-
Sample
220120-wmvmmsbacj
-
MD5
b31fdfb032644bcb1f8b072f4dc5e11a
-
SHA1
1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
-
SHA256
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
-
SHA512
653a701f4ed1cecd6081e800ec50300a11ac1b927b32192deef796176e655f287bf5024279f0e2821ab5ee62cbc6ac24155b12a9be637dd1c199209289f05087
Static task
static1
Behavioral task
behavioral1
Sample
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
lokibot
http://windowssecuritycheck.gdn/gx/l/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
pony
http://windowssecuritycheck.gdn/gx/p/gate.php
Targets
-
-
Target
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961.exe
-
Size
197KB
-
MD5
b31fdfb032644bcb1f8b072f4dc5e11a
-
SHA1
1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
-
SHA256
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
-
SHA512
653a701f4ed1cecd6081e800ec50300a11ac1b927b32192deef796176e655f287bf5024279f0e2821ab5ee62cbc6ac24155b12a9be637dd1c199209289f05087
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-