General
-
Target
071624c44be2ff4fba1324f744a9463a69f4aafc8548fd112d9b6d371920b3f7
-
Size
758KB
-
Sample
220521-xy6pqacgf9
-
MD5
7aad5cfeb73394244c2499fd09da26b4
-
SHA1
da48498b49f719735e9540d79d29c666fe09ff33
-
SHA256
071624c44be2ff4fba1324f744a9463a69f4aafc8548fd112d9b6d371920b3f7
-
SHA512
e3239f53ab69546c213341a20e43bd090634db87cd4b76bcffe3a2a2c0df452de6b251ea48a4dcaab414d0a18cbc98ea71ac70acbdc5a75123733f247a06894c
Static task
static1
Behavioral task
behavioral1
Sample
over-due-pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://eocaenlogistics.com/data/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
over-due-pdf.exe
-
Size
1.2MB
-
MD5
9468d49cd6b26b3611a59998c39ec192
-
SHA1
67a79f2b972ca38b0736272a64ce6650882627ee
-
SHA256
375170c06f60f8f1529ae7c6cee9459118abd5b180fa70cbe82226c0b1deb09d
-
SHA512
7d8dcb8fa3208c0f0bef4d5a91413726d9222118305284c84b2556733ef696469cc491439e286b770e28c22aed083c77eca980c5bccca9e1743f4068a3edd044
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-