lokibot | 0bf55bf44d608512998e8c23252981ef[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

0bf55bf44d608512998e8c23252981ef.bin
Size

51KB
MD5

a6017b6d7a486e9ee2e200a5b6a1d65a
SHA1

5ece94927dd58d733099ab801e107d2497eb4ce3
SHA256

0f7957e93babd81fe3f67f07247240e9e24c56c9f47ff5d28f37f4dff6375702
SHA512

9d537a848ef57939a793d3f48a2c7e66f4f9342b778c0201ef8e1020e22b7e7d3f59830129a26c731722af53e473a93b4279f2b0f89543b6643f4c8119f022e4
SSDEEP

1536:TNqYfULIVempSk/AvExB7ZWqepAg01n2plyU47B:TjUpmfbDFW7u7nl

Score

10^/10

lokibot

Malware Config

Extracted

Family

lokibot

C2

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot family
lokibot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/f44c5fb71ef93673693994a3831a687175a0f6b232d0811631df162f70043133.exe

Files

0bf55bf44d608512998e8c23252981ef.bin
.zip

Password: infected
f44c5fb71ef93673693994a3831a687175a0f6b232d0811631df162f70043133.exe
.exe windows x86

Password: infected

0239fd611af3d0e9b0c46c5837c80e09

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

getaddrinfo
freeaddrinfo
closesocket
WSAStartup
socket
send
recv
connect

kernel32

GetProcessHeap
HeapFree
HeapAlloc
SetLastError
GetLastError

ole32

CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

VariantInit
SysFreeString
SysAllocString

Sections

.text
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 535KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.x
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE