General
-
Target
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
-
Size
4.3MB
-
Sample
220708-b7plxaccdq
-
MD5
b18845adc4e9656460ea07ed40cde26b
-
SHA1
c3cfa90112c46f4be175370b45ae40fa7f3f9e3c
-
SHA256
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
-
SHA512
8df6ec830b60b4c958f62f6e464b9f84ff369a8dad6317321774c371455e1569ef9181e95da59f4c085af8df42ea45eb16c952bcee31f7a4b403281bbc3e6a81
Static task
static1
Behavioral task
behavioral1
Sample
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://saftygroup.com/app/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
-
Size
4.3MB
-
MD5
b18845adc4e9656460ea07ed40cde26b
-
SHA1
c3cfa90112c46f4be175370b45ae40fa7f3f9e3c
-
SHA256
42abb229afc6de51904002a907b3934c24632af5075550b90b1d6a14005eb550
-
SHA512
8df6ec830b60b4c958f62f6e464b9f84ff369a8dad6317321774c371455e1569ef9181e95da59f4c085af8df42ea45eb16c952bcee31f7a4b403281bbc3e6a81
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-