General
-
Target
8275697787639625be4a663711127bfe1c84c0b08b67d8d6c59fdd1890130b23.exe
-
Size
773KB
-
Sample
220521-jl3weaeadk
-
MD5
4eed468b0e55bf002a7c9794cbef7f11
-
SHA1
12e328496090290adfa3447c3c86ea28a2269ec9
-
SHA256
8275697787639625be4a663711127bfe1c84c0b08b67d8d6c59fdd1890130b23
-
SHA512
6672450f359f1ff93fd4f8df600970892bdab376a6f5bb111cb3d08c4c461f23e8a31dd9de338c798dd9ac9eb8a1c9f1b01f1fb116325d63f75bdec77f524f3b
Static task
static1
Behavioral task
behavioral1
Sample
8275697787639625be4a663711127bfe1c84c0b08b67d8d6c59fdd1890130b23.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=11563538709035308
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
8275697787639625be4a663711127bfe1c84c0b08b67d8d6c59fdd1890130b23.exe
-
Size
773KB
-
MD5
4eed468b0e55bf002a7c9794cbef7f11
-
SHA1
12e328496090290adfa3447c3c86ea28a2269ec9
-
SHA256
8275697787639625be4a663711127bfe1c84c0b08b67d8d6c59fdd1890130b23
-
SHA512
6672450f359f1ff93fd4f8df600970892bdab376a6f5bb111cb3d08c4c461f23e8a31dd9de338c798dd9ac9eb8a1c9f1b01f1fb116325d63f75bdec77f524f3b
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-