General
-
Target
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
-
Size
296KB
-
Sample
220502-jgjlzaagel
-
MD5
f131c78521cec27b327b5aad011c5afc
-
SHA1
928777153a742a0bf934545f3bc1fbf37bf27d3f
-
SHA256
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5
-
SHA512
8fbdbeeef3c72859f981b4620f2c604635c1527294de9d0027dc163d1bbdff77ceca6e83436a437deda345f88bbeb1152a8933a667cc9ef25230e58bdb056a57
Static task
static1
Behavioral task
behavioral1
Sample
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://martiq.org/vag-2/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5.exe
-
Size
296KB
-
MD5
f131c78521cec27b327b5aad011c5afc
-
SHA1
928777153a742a0bf934545f3bc1fbf37bf27d3f
-
SHA256
38235094867a865a805cb8c234a2d628c5f782f97c4047b07f3e81db9221cff5
-
SHA512
8fbdbeeef3c72859f981b4620f2c604635c1527294de9d0027dc163d1bbdff77ceca6e83436a437deda345f88bbeb1152a8933a667cc9ef25230e58bdb056a57
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-