General
-
Target
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
-
Size
2.0MB
-
Sample
230129-t6md9sfd2v
-
MD5
2515bd45c12e30be94ed6790c9c892ab
-
SHA1
5ba8d18b0b74fc5bb3745ee07a464bffc79768fb
-
SHA256
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
-
SHA512
3d9aa7c447c238b3bc8aca33c520b312847ecc5d4f7c45dd18faa2cedaf07d16c00d5366b4acb96da383c078e3a2e7ac598bdbd11bb9a988919e94c1f4cd6a25
-
SSDEEP
49152:+kItzT0ey1C0bvSMn1v/Mr2WMkxoVypXzZoLwM86YsrTi:2tzTVMC5M13kUkoEM81Ou
Static task
static1
Behavioral task
behavioral1
Sample
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
lokibot
http://89.46.222.135/lewy/lewy/sun/best/solar/gem/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
-
Size
2.0MB
-
MD5
2515bd45c12e30be94ed6790c9c892ab
-
SHA1
5ba8d18b0b74fc5bb3745ee07a464bffc79768fb
-
SHA256
67fe903d5f661a4b19340f773bc94ac3e0ea8f46f459d552fe868731ae6175f7
-
SHA512
3d9aa7c447c238b3bc8aca33c520b312847ecc5d4f7c45dd18faa2cedaf07d16c00d5366b4acb96da383c078e3a2e7ac598bdbd11bb9a988919e94c1f4cd6a25
-
SSDEEP
49152:+kItzT0ey1C0bvSMn1v/Mr2WMkxoVypXzZoLwM86YsrTi:2tzTVMC5M13kUkoEM81Ou
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-