General
-
Target
09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06
-
Size
991KB
-
Sample
220521-w9lm9aeebr
-
MD5
b650d2a7c5a71109cf872ad301c424d4
-
SHA1
08e3f4f8d920bad2b87b0fa6f9ec9aaa89cd5384
-
SHA256
09c2593aad9cf3a021a9224c5adf7312459a26b87ead3d737ef6a3d73504bd06
-
SHA512
c2abb72202ff643dc031aaa3b290b68c1a8267b9057116a7601cfe5e383e18a5840a5a7a017a157548777327ff347428be3967746fe6661995c3c1f28013be42
Static task
static1
Behavioral task
behavioral1
Sample
SOA_#BA520865 APR20pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://rnarport.com/deal/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SOA_#BA520865 APR20pdf.exe
-
Size
1.4MB
-
MD5
651f7592df60c78259741d1452987807
-
SHA1
e4a39cb28f1275bd13dd357ce5592f4dc975268f
-
SHA256
fba2d704c11e4e6016da0acc631c12bb8ded89d3c46eb5469aa98988844f8b7e
-
SHA512
c438fc13a08ac1b27004a92d818341c1151b7df74fe3c0514636d087044b82e20f1d451acc05554e96a2265a1e10eb704a3feccb46ed8660a75c49d5b1daf4b4
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-