General
-
Target
f10d4ff316e542b0a5e3e08cb2f50761a3a2f44c0ad7ae580362eda580c12124
-
Size
215KB
-
Sample
220521-ca1tcagfaj
-
MD5
6425feb894600942b948a5435f8f3bc0
-
SHA1
1e1ad1aa06184846050ee427a2b9872521145c9b
-
SHA256
f10d4ff316e542b0a5e3e08cb2f50761a3a2f44c0ad7ae580362eda580c12124
-
SHA512
6b3877a30a55a57476ddec2a64895dabd14ed61405b5b1952e9150a23cb480523e0bd0d881e26b8406ccb355cb3c6e7f8cb465c3406b3986366020ae2b95aa27
Static task
static1
Behavioral task
behavioral1
Sample
101(RSWM).exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://siiigroup.com/gst/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
101(RSWM).exe
-
Size
305KB
-
MD5
8c773f54d8865476e70acffaf2bb8796
-
SHA1
d2769f5d2951fc4af301a8727f0cd00a28427b0d
-
SHA256
4f35e69645ec3551d0195844e432a1c258982a481d8acff446d403429ac43d1a
-
SHA512
61efed13d3491f36ba34fc4a90732ba823638958984378c64d85f23ffd3a47b6fdea71844e9a378d6ec25029e974f7c2739973c8e0328ec1da7479c96044119f
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-