General
-
Target
sknnestes9.exe
-
Size
197KB
-
Sample
220121-xekm5sbaar
-
MD5
7e8effc999bf0c37467eb143ab1a693b
-
SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
-
SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
-
SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
Malware Config
Extracted
lokibot
http://tootoo.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
sknnestes9.exe
-
Size
197KB
-
MD5
7e8effc999bf0c37467eb143ab1a693b
-
SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
-
SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
-
SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-