lokibot | fabb9cedf115627ea43633dc8f064ddf8bf660036d0f5743ef0dada4b983db4a[.]exe

General

Target

fabb9cedf115627ea43633dc8f064ddf8bf660036d0f5743ef0dada4b983db4a.exe
Size

96KB
MD5

95574990294038735668bcbcbc901f8e
SHA1

368d52901d5dd8caeac8b0cbdd7086952ec3fd1c
SHA256

fabb9cedf115627ea43633dc8f064ddf8bf660036d0f5743ef0dada4b983db4a
SHA512

f96ca75aee0fb9c922743532402f114def45474c0b46eda438a5d895f0c6181eaac7a4002e6007fd1d4b433ce90d7f8bd35018a7b0d470204208906a1da0bbea
SSDEEP

1536:6zvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqcIzmd:hSHIG6mQwGmfOQd8YhY0/E1UG

Score

10^/10

lokibot

Malware Config

Extracted

Family

lokibot

C2

http://tampabayllc.top/teamb/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENInfoStealer

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Lokibot family
lokibot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
fabb9cedf115627ea43633dc8f064ddf8bf660036d0f5743ef0dada4b983db4a.exe

Files

fabb9cedf115627ea43633dc8f064ddf8bf660036d0f5743ef0dada4b983db4a.exe
.exe windows:5 windows x86 arch:x86

0239fd611af3d0e9b0c46c5837c80e09

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

getaddrinfo
freeaddrinfo
closesocket
WSAStartup
socket
send
recv
connect

kernel32

GetProcessHeap
HeapFree
HeapAlloc
SetLastError
GetLastError

ole32

CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

VariantInit
SysFreeString
SysAllocString

Sections

.text
Size: 78KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 512B - Virtual size: 536KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.x
Size: 512B - Virtual size: 8KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Extracted

Signatures

Files

0239fd611af3d0e9b0c46c5837c80e09

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

kernel32

ole32

oleaut32

Sections

.text Size: 78KB - Virtual size: 80KB

.rdata Size: 16KB - Virtual size: 20KB

.data Size: 512B - Virtual size: 536KB

.x Size: 512B - Virtual size: 8KB

.text
Size: 78KB - Virtual size: 80KB

.rdata
Size: 16KB - Virtual size: 20KB

.data
Size: 512B - Virtual size: 536KB

.x
Size: 512B - Virtual size: 8KB