General
-
Target
07564ee683a669f542bf29d77bf781860970252f0247aa2bef1cbb92394418b1
-
Size
1.4MB
-
Sample
220521-w9d86seebj
-
MD5
847de2893a3630caa1bffa421eadfc89
-
SHA1
bfba0088bdbc443dd718faa04b88d49f687867dc
-
SHA256
07564ee683a669f542bf29d77bf781860970252f0247aa2bef1cbb92394418b1
-
SHA512
a2e4865b57f2cb2075a05bf96d7669f774eec6d52a3b8ed236d40d736f068dd9d31fd7acaf1c3c2cc0771e3b30df41c2ae027c78ddfaffc6f1c6ac6cd774f9e1
Static task
static1
Behavioral task
behavioral1
Sample
SOA_#BA520865 APR20pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://rnarport.com/deal/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SOA_#BA520865 APR20pdf.exe
-
Size
1.9MB
-
MD5
3a50e24228e23c190eaa02a703c4dcf8
-
SHA1
c2d3f4bcc3a0ea2d490d0321d8936a9f93aaf233
-
SHA256
3b41268c22f208d755b5c6c9925088a6c5ff68a75e5cc003f574749c9f599a54
-
SHA512
5adfc8025ee84b29dcd896718ce72ef893376e72013ebfaedeb3511a7dc7457af306a3c45d57cfee5c84305ee123aaec39091705d61e72c84f79823e2e01a8a9
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-