General
-
Target
Purchase Order_PO3082.exe
-
Size
225KB
-
Sample
220701-ss8jxahggr
-
MD5
cb197bd90ec894e0307aa787decbe7e7
-
SHA1
9b090bb13c1e2c72ddb9e41598edf06a28ef4c49
-
SHA256
2a0e220401734d689b8eea3cf7d58b7c5e91d1ce75cc7c1181c601db39224ef8
-
SHA512
a091a3263cedc0410a59cd37c63de2ff84adbb9b5a96fe67bd40da9728247b9568ed8f4823bb533a790c8fe803fb3947b26ea1f055ffa95e10c3ffdf4aba7ede
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_PO3082.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://198.187.30.47/p.php?id=16546937168647514
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Purchase Order_PO3082.exe
-
Size
225KB
-
MD5
cb197bd90ec894e0307aa787decbe7e7
-
SHA1
9b090bb13c1e2c72ddb9e41598edf06a28ef4c49
-
SHA256
2a0e220401734d689b8eea3cf7d58b7c5e91d1ce75cc7c1181c601db39224ef8
-
SHA512
a091a3263cedc0410a59cd37c63de2ff84adbb9b5a96fe67bd40da9728247b9568ed8f4823bb533a790c8fe803fb3947b26ea1f055ffa95e10c3ffdf4aba7ede
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-