General
-
Target
4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924
-
Size
165KB
-
Sample
220524-1jlb1shab9
-
MD5
7228a31a21294c843be421ec18a5bbc8
-
SHA1
a4076e09b181f8ca2b43d155a1b4e2434de10b90
-
SHA256
4b039a4113c98611053887af474ca0ef492c693525f6b2d700184e05720a2924
-
SHA512
7547ddf291d9054beb9ed185b1aa6081edae489b46dc62d46fc46b7d86ad3048b73c39ca10af62789c305cd4c67b205bc39914f4ce55e4b7d9db3fe280cb4e89
Static task
static1
Behavioral task
behavioral1
Sample
quotation(CIF Yokohama).exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
https://nnasout.com/loo/need/work/Panel/five/fre.php?
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
quotation(CIF Yokohama).exe
-
Size
222KB
-
MD5
2eef9ae522288b3b5a93ddf1c4b10222
-
SHA1
f4f6538e30789dccda884c706cb61a194cd7da00
-
SHA256
352a06a48ddb77e75cd54264c213c7adfe6a70c1bbb89f453cd41e4592ec3d8a
-
SHA512
5438f3daa0d9a52a150968d4957d577fd71815481104555ce85184acd3c1c9a8849b555dd54925f8f7a269a326e03938319199953d676cea55eba8bd58511827
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-