General
-
Target
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0
-
Size
4.3MB
-
Sample
220707-3nz23sagc6
-
MD5
6abe27f5fb28b360152fb6dc7f521d64
-
SHA1
c29253502e7799a4468c569ea907cfa4d2852b62
-
SHA256
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0
-
SHA512
7b505b00b38b6dc088a771946f1a1f4b4d732503ba45b4c085e0f84a179ceb3225019480b51289d37bc4612b01e317167660bf5ca5f139edae45a0f215e75b32
Static task
static1
Behavioral task
behavioral1
Sample
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://hydeoutent.com/app/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0
-
Size
4.3MB
-
MD5
6abe27f5fb28b360152fb6dc7f521d64
-
SHA1
c29253502e7799a4468c569ea907cfa4d2852b62
-
SHA256
4331fd03d4281b82c3be8dcee3d53559ecb824e1bfdf4d86475c795ac209f0d0
-
SHA512
7b505b00b38b6dc088a771946f1a1f4b4d732503ba45b4c085e0f84a179ceb3225019480b51289d37bc4612b01e317167660bf5ca5f139edae45a0f215e75b32
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-