General
-
Target
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b.exe
-
Size
594KB
-
Sample
241115-c21yeswqgy
-
MD5
62fda9bddb8cf5a4b641de014e050653
-
SHA1
532bdadc95a530e10ed2f7e377f37018cfca6b0e
-
SHA256
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b
-
SHA512
e1e71ec6589252b6f75c707c90c6115a0cc4b5515a56914a2e10a126b19ed4fda7bc6e3af0c43a96b63306ed82cc573a8a6118c3cc25b370adf3c632222a585e
-
SSDEEP
12288:1XOIWF8UKoZbJxNS6iod1/KNrxIvU2xp1lAlR6kCJVM0K:RWhxNBiMI5KvtqlR6kCJVTK
Static task
static1
Behavioral task
behavioral1
Sample
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b.exe
Resource
win7-20241010-en
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b.exe
-
Size
594KB
-
MD5
62fda9bddb8cf5a4b641de014e050653
-
SHA1
532bdadc95a530e10ed2f7e377f37018cfca6b0e
-
SHA256
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b
-
SHA512
e1e71ec6589252b6f75c707c90c6115a0cc4b5515a56914a2e10a126b19ed4fda7bc6e3af0c43a96b63306ed82cc573a8a6118c3cc25b370adf3c632222a585e
-
SSDEEP
12288:1XOIWF8UKoZbJxNS6iod1/KNrxIvU2xp1lAlR6kCJVM0K:RWhxNBiMI5KvtqlR6kCJVTK
-
Lokibot family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1