General
-
Target
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
-
Size
25KB
-
Sample
220521-yhxmjsgbfq
-
MD5
6b5e5c1f1b3707a6376a6bfbc6efea3a
-
SHA1
7d086eca80ccc85d16825aeacdb13f23aedeb378
-
SHA256
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20
-
SHA512
11b5f2a0eb4afc31c2f2e8fdcac48a69c4a1bb14ca8c817a13115bf87527899d726b81a7f0d2c71ebb9fa925b57ed669e17ccbb45c86fe24db844893ece946fc
Static task
static1
Behavioral task
behavioral1
Sample
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=7706107617708711
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20.exe
-
Size
25KB
-
MD5
6b5e5c1f1b3707a6376a6bfbc6efea3a
-
SHA1
7d086eca80ccc85d16825aeacdb13f23aedeb378
-
SHA256
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20
-
SHA512
11b5f2a0eb4afc31c2f2e8fdcac48a69c4a1bb14ca8c817a13115bf87527899d726b81a7f0d2c71ebb9fa925b57ed669e17ccbb45c86fe24db844893ece946fc
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-