General
-
Target
bf26b74122d2f1a8338716f0190e8c00bd383cdfda7bb1f797a017e244e66352
-
Size
813KB
-
Sample
220521-w81qsabbh3
-
MD5
9ed3d14f139daf943e73d8f1acaf73e4
-
SHA1
1660a31fa20f8583dafeb4a0ac7e74c10aca7986
-
SHA256
bf26b74122d2f1a8338716f0190e8c00bd383cdfda7bb1f797a017e244e66352
-
SHA512
5bba01b28882f989f2bcebe3c603a537febd18f597e9eab0621726630aab8f4f25e658b5d247928981a186be175e62c5417abce993eb749ccf1d15525e9d39c4
Static task
static1
Behavioral task
behavioral1
Sample
T6636_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
T6636_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://oneflextiank.com/coco/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
T6636_PDF.exe
-
Size
1.2MB
-
MD5
8ff2e665cfb3b37173fa0ad1126d081a
-
SHA1
624fd5ca214e383b7c210f7792868f022b392260
-
SHA256
99b3e1c6a5263c2d0b48f0e57ebf750b474ee28a8378af89750e8c154938faf6
-
SHA512
d423def1ab53669e00234c8b6439d97238d93d638050a1b4fc2d5057b24da6eff768a8ea04127dfa605698e35d565b39b009bae27f35e9cd8eaa3acd836c3e0d
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-