General
-
Target
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b
-
Size
4.4MB
-
Sample
220801-dagwxagdcm
-
MD5
20359e1c6c6c702e933bd0943292dcdc
-
SHA1
9a4d2f8380c051b18dc1dacd2bca67d345b246e7
-
SHA256
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b
-
SHA512
4054e99618301849bf9878ec2126f04de021def5402f1f60da8e757e08adee4c258e80a161acb625990c5831b9613c48999faed513506488d94ae8bbbae7075a
Static task
static1
Behavioral task
behavioral1
Sample
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b.exe
Resource
win10v2004-20220722-en
Malware Config
Extracted
lokibot
http://fashionstune.com/old/inc/img/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b
-
Size
4.4MB
-
MD5
20359e1c6c6c702e933bd0943292dcdc
-
SHA1
9a4d2f8380c051b18dc1dacd2bca67d345b246e7
-
SHA256
5d3cda6617556e80066d305c45ade13f08d2aebdfa8412b962ddf67b81266f9b
-
SHA512
4054e99618301849bf9878ec2126f04de021def5402f1f60da8e757e08adee4c258e80a161acb625990c5831b9613c48999faed513506488d94ae8bbbae7075a
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-