General
-
Target
84de0e9378be7cd6b1d374a93b2398545fb235bfeb005988511ac34c294b64a6
-
Size
186KB
-
Sample
220521-c33teaehf5
-
MD5
cd7cb53f24886b2e7e948b37abbc7f0c
-
SHA1
a5d3770d490cb6e6940063eb0ca3316ed23c7200
-
SHA256
84de0e9378be7cd6b1d374a93b2398545fb235bfeb005988511ac34c294b64a6
-
SHA512
7745e7c9efe260100a56b712193f266a1087dd789fee68bc6fc81b54af44cdd6a4ca45a4a0060e6e1ca38f6ad957906f5c08e5046a20dfeb571ad66cc6e1d1f6
Static task
static1
Behavioral task
behavioral1
Sample
Urgent Demand.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://scarfponcho.com/notsite/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Urgent Demand.exe
-
Size
290KB
-
MD5
d89b70bb428e28287f68f3a193039470
-
SHA1
950bf6d8af4b7e7b0daa916d9830195a9bbac192
-
SHA256
14535f0225ffca1954a29b9076ead75bb8ad78bba28c23ae66e13e6a5f140693
-
SHA512
732511cd313feb0dc14a103dff76fc36f04da448d2fa83be8a60d67d82d9467920ac4cc8303557720c67a0b44c53168a9bd793546b53b2c9f43e56e5bab36403
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-