General
-
Target
Approved purchase order number PO2022070012.exe
-
Size
592KB
-
Sample
220725-k43h2abgcp
-
MD5
e06695c163531f7089ca1b243ee8873f
-
SHA1
aa90d5f607fcdf8bce905a5f1ba8e2de4765fdf3
-
SHA256
6e69038d76d420bc65eedac8eb5c5b727303efdff971bb7ad8b8f3b4deee8a45
-
SHA512
7be6f6bb944a17898efaee35c56337437d0399fccefe13bd1649fbb58a68ba4bd847b22849599b90708b64e51c8963952d79cb001910268c23bdf6e58fe7a890
Static task
static1
Behavioral task
behavioral1
Sample
Approved purchase order number PO2022070012.exe
Resource
win7-20220718-en
Malware Config
Extracted
lokibot
http://sempersim.su/gi15/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Approved purchase order number PO2022070012.exe
-
Size
592KB
-
MD5
e06695c163531f7089ca1b243ee8873f
-
SHA1
aa90d5f607fcdf8bce905a5f1ba8e2de4765fdf3
-
SHA256
6e69038d76d420bc65eedac8eb5c5b727303efdff971bb7ad8b8f3b4deee8a45
-
SHA512
7be6f6bb944a17898efaee35c56337437d0399fccefe13bd1649fbb58a68ba4bd847b22849599b90708b64e51c8963952d79cb001910268c23bdf6e58fe7a890
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Looks for VirtualBox Guest Additions in registry
-
Nirsoft
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-