General
-
Target
tmp
-
Size
505KB
-
Sample
220514-rwvlsacfdm
-
MD5
42bbd99a0ea0fcc5a3f9e6331277cc14
-
SHA1
fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d
-
SHA256
f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e
-
SHA512
5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://85.202.169.172/remote/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tmp
-
Size
505KB
-
MD5
42bbd99a0ea0fcc5a3f9e6331277cc14
-
SHA1
fb7e14f1eb56ece2c9a79f527fe6161a7d8d798d
-
SHA256
f35b2fb270330eb883b2a58476635e6c3768033ca00efc39c328becf973a2e1e
-
SHA512
5dd85a4fa239dd04f1d23d1e8a31922a957ef639a42f186f470c4eece6c290bd15caba19302b957b091d0fe300b82c87605109623dc8474dcc493f372fdf3ea8
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-