General
-
Target
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
Size
2.2MB
-
Sample
220607-1nbclshfdq
-
MD5
c5f7c25b68f35ea7e149eb21a0fca79d
-
SHA1
ebd8aefdcfbfaf997c8c0fcb0986a44a1c1e9745
-
SHA256
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
SHA512
80307b27551089e4cab08f43b2e9f5c713f7893674596d3572a73c7fb33e35d929961b294efff54fb94eb334d67f552f301954367191c2df1d50b8acbf62e2ab
Static task
static1
Behavioral task
behavioral1
Sample
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746.exe
Resource
win7-20220414-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://fashionstune.com/wp-includes/app/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
Size
2.2MB
-
MD5
c5f7c25b68f35ea7e149eb21a0fca79d
-
SHA1
ebd8aefdcfbfaf997c8c0fcb0986a44a1c1e9745
-
SHA256
1ad41550edb304b11fd8b6f070f957c24527cbc0b0d222ce1141a0287e0b3746
-
SHA512
80307b27551089e4cab08f43b2e9f5c713f7893674596d3572a73c7fb33e35d929961b294efff54fb94eb334d67f552f301954367191c2df1d50b8acbf62e2ab
-
Detect XtremeRAT Payload
-
Modifies firewall policy service
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Suspicious use of SetThreadContext
-