General
-
Target
HSBC Swift.exe
-
Size
594KB
-
Sample
230328-hvcvxabc6t
-
MD5
d9a072246ed0a96136fc498cb6e76b2a
-
SHA1
916a43f3334916887712733881e2c4d2533b6da4
-
SHA256
462980f3af609772be260792b702a118fb2e87ded7dfe87bf5a75a13b37277d6
-
SHA512
01a8da1a606c31198a6fe807da1e49c185e010d4610e7bbea967a916f116deecd9becbfd69bbc0fbfb7a152beb36d51340f765982c0bc028701d301b7dfdb42c
-
SSDEEP
6144:R92Nj7FNKuggE/ZsIMg+Emf5U5+G9JVJgI2idTWkzZaD9Ysi84OI3qMeYsyfjlFa:nsxu7V/2iFzZaesiWQse21U1thhhSBF
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Swift.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HSBC Swift.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
lokibot
https://sempersim.su/ha22/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
HSBC Swift.exe
-
Size
594KB
-
MD5
d9a072246ed0a96136fc498cb6e76b2a
-
SHA1
916a43f3334916887712733881e2c4d2533b6da4
-
SHA256
462980f3af609772be260792b702a118fb2e87ded7dfe87bf5a75a13b37277d6
-
SHA512
01a8da1a606c31198a6fe807da1e49c185e010d4610e7bbea967a916f116deecd9becbfd69bbc0fbfb7a152beb36d51340f765982c0bc028701d301b7dfdb42c
-
SSDEEP
6144:R92Nj7FNKuggE/ZsIMg+Emf5U5+G9JVJgI2idTWkzZaD9Ysi84OI3qMeYsyfjlFa:nsxu7V/2iFzZaesiWQse21U1thhhSBF
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-