General
-
Target
4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab
-
Size
317KB
-
Sample
220521-dke53aahcq
-
MD5
a796500fb70218260a23af6b86890776
-
SHA1
1bc9a256beae11acada5b9514cd29c9fdf5b1820
-
SHA256
4a8c2cfd716cc31ceb56fbe9e8f9888a3ddc834a90e6dedcb140dacb79b625ab
-
SHA512
0c221b5d5170e4822197d3a6ca7c9aba0fe10568b9ece7a8367c9872a6d3ab97186ee2224fe9229af1fd156631cb7910dcabbc26e7ce66a810d5b450f166911d
Behavioral task
behavioral1
Sample
tas0v3FvZSBpyH2.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://skull3.ga/martins27/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tas0v3FvZSBpyH2.exe
-
Size
676KB
-
MD5
557353bdbd122177a75fe9b79e5b4242
-
SHA1
5815cf11845fb0eac0634fe7422b27f6f51163f5
-
SHA256
3347f2ee195495a012ed7553481c88da56ff417f428598706c8d629dad11fe51
-
SHA512
e7eb2ae7db03555fdf1c800305bc060fc07e6d9667910a9a022cc10f40e6d3edf901b7f4903799706b43566977e2e1f62e971109ffe84c9398f3f11beea10b74
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Contains SnakeBOT related strings
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-