General
-
Target
187db6cc7bb80fa2a96c1b20d466165d6d453d30028b00a930944e4d91e35f46
-
Size
314KB
-
Sample
220521-pbkjzaabfl
-
MD5
03fa9a0a259a825c064545d6ff64489b
-
SHA1
c16f42161f8b3bf88807bf26fc73d0306799577f
-
SHA256
187db6cc7bb80fa2a96c1b20d466165d6d453d30028b00a930944e4d91e35f46
-
SHA512
a6e968f250b26873daa6e25f5193554a06f40b3ea5114446369f79c5ef11d86ed441d9f044fdcd7fb51e2133d9c2a405c7c9d45af47a09d2b6c92e30148687dc
Static task
static1
Behavioral task
behavioral1
Sample
rfq3076h.pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://irangoodshop.com/nop/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
rfq3076h.pdf.exe
-
Size
535KB
-
MD5
fe79a5a3460060e3f01f936f552f5375
-
SHA1
40de4dd6222835dcd21af77fbfabac03331a89fa
-
SHA256
6abbb44b66478a1e33b2feb3bb3ab5eda0a1dd7a7e5625a4e9ab82111c302fae
-
SHA512
348c5a633113d320b4a20811f56134465f5cfed4cb9bb3127c2eeef80dc2db724309069317de379d32e6e1dc41d03f52929aa6f89ad3f22e163849ca930c9648
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-