General
-
Target
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
-
Size
178KB
-
Sample
220514-q5jp7shhg7
-
MD5
c85a753c46e005748eb59d6d062d596c
-
SHA1
396d1f6cbcf4e06965f270b7d5aa67ce784cec6b
-
SHA256
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076
-
SHA512
a56eceb55e81e1d83bc3ea11db2889cb1c0c4d907d1d232cfdaecbf9a1ddfa927b70702e32064471841379291eb3e825f22ae5a3dad72ead3aaa763fb48d4980
Static task
static1
Behavioral task
behavioral1
Sample
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076.exe
-
Size
178KB
-
MD5
c85a753c46e005748eb59d6d062d596c
-
SHA1
396d1f6cbcf4e06965f270b7d5aa67ce784cec6b
-
SHA256
ad803880dbb40f2776e5e149ebce583a1eee4a8628d34849bb72923d42529076
-
SHA512
a56eceb55e81e1d83bc3ea11db2889cb1c0c4d907d1d232cfdaecbf9a1ddfa927b70702e32064471841379291eb3e825f22ae5a3dad72ead3aaa763fb48d4980
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-