General
-
Target
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca
-
Size
1.3MB
-
Sample
220717-cg5qwabec6
-
MD5
379fcce7aa44df74a1510fe7cd82a558
-
SHA1
3282d76ba3b1b9e6a95e5b8a0fa1a7e77b66cd75
-
SHA256
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca
-
SHA512
52aef4aa657ecd5099fd86babb97a4a2a72eecd5bcfda6140a839c1d9683097ca1d51e4940825b17498af4e675a7e3b623236017c95829b70e4fd1e81d099e2b
Static task
static1
Behavioral task
behavioral1
Sample
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://jalango.co.ke/js/loki/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
netwire
iheuche009.hopto.org:1199
-
activex_autorun
true
-
activex_key
{4QIS0Y00-K788-3BRR-G510-L26XY452725R}
-
copy_executable
true
-
delete_original
false
-
host_id
Bushbush
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
RjCRIvgp
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
Avast
-
use_mutex
true
Targets
-
-
Target
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca
-
Size
1.3MB
-
MD5
379fcce7aa44df74a1510fe7cd82a558
-
SHA1
3282d76ba3b1b9e6a95e5b8a0fa1a7e77b66cd75
-
SHA256
52bd3a6ae955ee26c653fd92f0ee560cb35349df719eff165f194639cab2e1ca
-
SHA512
52aef4aa657ecd5099fd86babb97a4a2a72eecd5bcfda6140a839c1d9683097ca1d51e4940825b17498af4e675a7e3b623236017c95829b70e4fd1e81d099e2b
-
NetWire RAT payload
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-