General
-
Target
3cfbb72c8e072d6aa4d7be8e7d7ad1719054379a88dc0f905f19f35611122f35
-
Size
557KB
-
Sample
220703-e93hbsfdgl
-
MD5
9c44cc43a631c9a8b804a8d51024f436
-
SHA1
1f89fd1f401d0b2e3c299da3b87df3a1a4f95012
-
SHA256
3cfbb72c8e072d6aa4d7be8e7d7ad1719054379a88dc0f905f19f35611122f35
-
SHA512
1863f0e04a67b1b61389b48a8f52d005d06e8e06576532ef5ea43454277258cc6543fe505cb3b3ffd6a0d0333f62799dc24b20fd13c579df5ab5062886f9b577
Static task
static1
Behavioral task
behavioral1
Sample
3cfbb72c8e072d6aa4d7be8e7d7ad1719054379a88dc0f905f19f35611122f35.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
https://publicspeaking.co.id/seun/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
3cfbb72c8e072d6aa4d7be8e7d7ad1719054379a88dc0f905f19f35611122f35
-
Size
557KB
-
MD5
9c44cc43a631c9a8b804a8d51024f436
-
SHA1
1f89fd1f401d0b2e3c299da3b87df3a1a4f95012
-
SHA256
3cfbb72c8e072d6aa4d7be8e7d7ad1719054379a88dc0f905f19f35611122f35
-
SHA512
1863f0e04a67b1b61389b48a8f52d005d06e8e06576532ef5ea43454277258cc6543fe505cb3b3ffd6a0d0333f62799dc24b20fd13c579df5ab5062886f9b577
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-