General
-
Target
cleanmgr.bin.exe
-
Size
336KB
-
Sample
230614-mmnpnagc9z
-
MD5
56677d90dd57da29bab6f859ee4b810d
-
SHA1
cb717cff2a0e3dc01f0760152d712a25b7f478e9
-
SHA256
35cc748980e782ab4b0eef2eda48148a5bb416cd926407f7d4eb5cd527c3be24
-
SHA512
ea1b1eb82783179b686cc31198f4d7a417c71cb67f45859e2dd8846ce739ebd4e3134d3ad0dc3b9429d9c177253153b397f4571570c2181087b8cc55a4de5430
-
SSDEEP
6144:t9X0GiKbdOFMybyQL/8/WicQrzJKj5leufkfn7N1pL:T0XadOe8+cD5k/7NrL
Malware Config
Extracted
lokibot
http://171.22.30.164/chang3/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
cleanmgr.bin.exe
-
Size
336KB
-
MD5
56677d90dd57da29bab6f859ee4b810d
-
SHA1
cb717cff2a0e3dc01f0760152d712a25b7f478e9
-
SHA256
35cc748980e782ab4b0eef2eda48148a5bb416cd926407f7d4eb5cd527c3be24
-
SHA512
ea1b1eb82783179b686cc31198f4d7a417c71cb67f45859e2dd8846ce739ebd4e3134d3ad0dc3b9429d9c177253153b397f4571570c2181087b8cc55a4de5430
-
SSDEEP
6144:t9X0GiKbdOFMybyQL/8/WicQrzJKj5leufkfn7N1pL:T0XadOe8+cD5k/7NrL
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-