General
-
Target
0b480c7bc602cbcf0b2ba37cf27575c2553a6e79655f0e23e87a9d30d67ba96d
-
Size
959KB
-
Sample
220521-w7je4sbah9
-
MD5
d31e66905dda2c2ba10598ed2e1a5ee6
-
SHA1
5920eda2878e2526c73344364f2ef9130ed95199
-
SHA256
0b480c7bc602cbcf0b2ba37cf27575c2553a6e79655f0e23e87a9d30d67ba96d
-
SHA512
2931bbb5be3c499579c10d4e68234a2c16e1c5d4bfca25752686e22263d295ef7e790fad3aefd0783acabe8d4b3132662db5415b8d8b13787a74c19e623c7cee
Static task
static1
Behavioral task
behavioral1
Sample
Quotation Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation Order.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://rebutrg.ml/scoop/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Quotation Order.exe
-
Size
1.1MB
-
MD5
48e775d9b63bd932d1c70de8f3b1ea8d
-
SHA1
d19222aaf436df3565734365811b637dff6414cb
-
SHA256
8ecfe22ec30443d42392898e0d23f29fc42e72bf74c066d9738acb3ef551919b
-
SHA512
f169d64739ead5ddd4ae4e58564cdf7b6a4a1f70b2580f09444bfa02a72470681379583e4cfc3152a193d52741f4e24a2923717103560fdf6cc03e8171b8cfa8
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
ModiLoader First Stage
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-