General
-
Target
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
Size
1.6MB
-
Sample
220622-klvqgaefa4
-
MD5
de415a476603c5f57cb5df5fdc781ed7
-
SHA1
9da0689d728b5872226a70974df036fed4ea650d
-
SHA256
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
SHA512
2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46
Static task
static1
Behavioral task
behavioral1
Sample
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35.exe
Resource
win7-20220414-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
lokibot
http://life-is-beautiful.in/api/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
Size
1.6MB
-
MD5
de415a476603c5f57cb5df5fdc781ed7
-
SHA1
9da0689d728b5872226a70974df036fed4ea650d
-
SHA256
2e6ed3d8b26ba87c304e0adf7b6244ac382a33fff95f22fab4c72b911601fc35
-
SHA512
2d31a48cda76659ed8b48a6490f14168b7e6379bf6eedbaf60693c01ad16e9808ac2389d5b3e00c80d9cc17c18d9b6e8c9011b3a034bd0482f526a98dac33c46
-
Detect XtremeRAT Payload
-
Modifies firewall policy service
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-