General
-
Target
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
-
Size
178KB
-
Sample
220514-q5kx9scdbk
-
MD5
1b7cb251107fbaf8b865b9e8e8c23e25
-
SHA1
f5200902d1f9b10b6f132463c4fc5bf1b97a8e59
-
SHA256
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4
-
SHA512
2d2d59408a72f632028d288e3fdaf352972d4fb9869d904c9c9a43e325f9d5037449ddc2bc04ac46688ae77058f27fba2f7c834f1e49188a5cc42d3bc9516e9d
Static task
static1
Behavioral task
behavioral1
Sample
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://62.197.136.176/liyan/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4.exe
-
Size
178KB
-
MD5
1b7cb251107fbaf8b865b9e8e8c23e25
-
SHA1
f5200902d1f9b10b6f132463c4fc5bf1b97a8e59
-
SHA256
493fec71a20becefae761219d18fd3b3c63c5d6ed7c3a998e97a1a1b3c1511e4
-
SHA512
2d2d59408a72f632028d288e3fdaf352972d4fb9869d904c9c9a43e325f9d5037449ddc2bc04ac46688ae77058f27fba2f7c834f1e49188a5cc42d3bc9516e9d
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-