General
-
Target
d6d891e24cc17662f1adebe132cbaf3f803ba469d898196eaa95d3e8d074ef1f
-
Size
191KB
-
Sample
220521-bnemlacbe4
-
MD5
c7dc7a51f925e1d9f58f5f2338ece712
-
SHA1
8e2736f7e76824595aac852cba86f964eefe9f87
-
SHA256
d6d891e24cc17662f1adebe132cbaf3f803ba469d898196eaa95d3e8d074ef1f
-
SHA512
4d05ca1c0c91b92488a4520275572210223111b787d7b7431876805fca5da6bfb000528e2da6c00a0038128327ec0ebef21a969bb50845e2fc3751d5febe0b91
Static task
static1
Behavioral task
behavioral1
Sample
Payment proof .exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://scarfponcho.com/notsite/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Payment proof .exe
-
Size
240KB
-
MD5
39dca7465781450a9bbb87eda01a07b7
-
SHA1
8b490e11ddd090ea5afeb24d327d39bd2f075979
-
SHA256
14e7b4f4f4e98ecb3aad0e67857b3fbbca1d314ecdaa0b1aab122e1d97954977
-
SHA512
66a89b947f31c7469f5daa005c0fdb02f304eed457be5067d59c68b3ab6be19f38ee6a776ef213416abd52babc17bed65ff8b7e77581f2cd871f705192ab79fb
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-