General
-
Target
63dc3a9bb1abdf611d5d864326bd19c2
-
Size
666KB
-
Sample
220707-f7aj7sfhb6
-
MD5
63dc3a9bb1abdf611d5d864326bd19c2
-
SHA1
b1f48165702c1c6e5428c06ec286014bc69197d4
-
SHA256
5a19eb6632c933e1a001dca81e9647141155df6b87065dd3e538387ac52c37ce
-
SHA512
747bd456d8e6b8e3c01088268bb12210c8c7d1c58e2b68684ff830ad250b9d2c043d423fc27d3b22773cc0c9cff3a075c4f6351860cb7c7548e4643586e81750
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order_PDF.ARJ.exe
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://sempersim.su/gi9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Purchase Order_PDF.ARJ.exe
-
Size
511KB
-
MD5
df80aec9cb4a8a5c0175a3d7ca352107
-
SHA1
4346176f31584b17b4b790908d6984bf43487c1c
-
SHA256
1e6f5352bb12ba7c2f9cba16e628eecd4cfe8e7f14a3b552f9be7b7b54afcd35
-
SHA512
5112d3cdea6143331674d494cf302d4457d79602b1a1447e4eff004d6d75cec0f45a7b416ca61fea82209571d1e5a8f31ac0ba776c6416a8e69589b7158c2423
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-