General
-
Target
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6.exe
-
Size
502KB
-
Sample
220521-yhwp9agbdm
-
MD5
737a5d19dc4b7901ca3cd5c295f63ae2
-
SHA1
71c727a52325b5a48897bed111f3259ce64ae044
-
SHA256
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6
-
SHA512
16a97ee31e15e5af3ae623faf1bd78779bbbe7c0f1beb97b0e00e5c9c5e2a91b71f60f40c8c8862f82ce627c842bc8214b5daf59069d106d2ff2c13653f6903e
Static task
static1
Behavioral task
behavioral1
Sample
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=19957150644816880
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6.exe
-
Size
502KB
-
MD5
737a5d19dc4b7901ca3cd5c295f63ae2
-
SHA1
71c727a52325b5a48897bed111f3259ce64ae044
-
SHA256
a0e98fb5bfa5b1671c5b14e841ffe75432057cda5149ab60995ccd6e21dc29c6
-
SHA512
16a97ee31e15e5af3ae623faf1bd78779bbbe7c0f1beb97b0e00e5c9c5e2a91b71f60f40c8c8862f82ce627c842bc8214b5daf59069d106d2ff2c13653f6903e
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-