General
-
Target
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3
-
Size
2.2MB
-
Sample
220725-cc1lcsaab6
-
MD5
d6f0b0dab732ddbccb910d62172148f4
-
SHA1
6b7b3acbbed374628e9217b039deda2702fad88e
-
SHA256
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3
-
SHA512
28e15352233db9c6ba71bcfc5e5dee7aaec66ad674b2450e26a5a75683b3f1112c804f01f75908134ead46a5e3e009b36b03c0fc4289e8088b8bb764894aff34
Behavioral task
behavioral1
Sample
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
lokibot
http://molinolatebaida.com/basic-jquery-slider-8ffe118/js/lib/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3
-
Size
2.2MB
-
MD5
d6f0b0dab732ddbccb910d62172148f4
-
SHA1
6b7b3acbbed374628e9217b039deda2702fad88e
-
SHA256
56b6af6272712c17cbfe0a5ebaa4850ecff1febc327c9ee252d75f322a129ec3
-
SHA512
28e15352233db9c6ba71bcfc5e5dee7aaec66ad674b2450e26a5a75683b3f1112c804f01f75908134ead46a5e3e009b36b03c0fc4289e8088b8bb764894aff34
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-