Loading ...

Play interactive tourEdit tour

Analysis Report Quotation Sheet_RFQ202011405002.doc

Overview

General Information

Sample Name:Quotation Sheet_RFQ202011405002.doc
MD5:a5f3d0e710a79c3e1b13345494e6c45f
SHA1:bb322bd348a704a5938d61266cd1c9851a69e703
SHA256:b3f635dac2b4d2bbd5d62164bfc9d533756d1981e475da1bd5aa61c30fbf8fd4

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Malware Configuration

Threatname: Lokibot

{"c2:": "http://admaris.ir/smart/five/fre.php"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.960428221.01FC0000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
    00000004.00000002.960428221.01FC0000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000004.00000002.960428221.01FC0000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
      • 0x13bff:$des3: 68 03 66 00 00
      • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
      • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
      00000004.00000002.960428221.01FC0000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
      • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
      • 0x153fc:$a2: last_compatible_version
      00000004.00000002.948722234.00230000.00000004.00000001.sdmpSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
      • 0x13e78:$s1: http://
      • 0x17633:$s1: http://
      • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
      • 0x13e80:$s2: https://
      • 0x13e78:$f1: http://
      • 0x17633:$f1: http://
      • 0x13e80:$f2: https://
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.1.smartxox8489322.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
        5.1.smartxox8489322.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          5.1.smartxox8489322.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x13bff:$des3: 68 03 66 00 00
          • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          5.1.smartxox8489322.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
          • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x153fc:$a2: last_compatible_version
          4.2.smartxox8489322.exe.230000.1.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 29 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\smartxox8489322.exe, CommandLine: C:\Users\user\AppData\Roaming\smartxox8489322.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\smartxox8489322.exe, NewProcessName: C:\Users\user\AppData\Roaming\smartxox8489322.exe, OriginalFileName: C:\Users\user\AppData\Roaming\smartxox8489322.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2252, ProcessCommandLine: C:\Users\user\AppData\Roaming\smartxox8489322.exe, ProcessId: 2148
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 87.236.213.195, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2252, Protocol: tcp, SourceIp: 192.168.2.2, SourceIsIpv6: false, SourcePort: 49158
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE, ProcessId: 2252, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPLJJT0P\smartx[1].exe

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: smartxox8489322.exe.2148.4.memstrMalware Configuration Extractor: Lokibot {"c2:": "http://admaris.ir/smart/five/fre.php"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation Sheet_RFQ202011405002.docVirustotal: Detection: 27%Perma Link
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HPLJJT0P\smartx[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\smartxox8489322.exeJoe Sandbox ML: detected

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\smartxox8489322.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

          Source: C:\Users\user\AppData\Roaming\smartxox8489322.exeCode function: 4_2_00404EB8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00404EB8
          Source: C:\Users\user\AppData\Roaming\smartxox8489322.exeCode function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,5_2_00403D74
          Source: C:\Users\user\AppData\Roaming\smartxox8489322.exeCode function: 5_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,5_1_00403D74

          Source: C:\Users\user\AppData\Roaming\smartxox8489322.exeCode function: 4x nop then movzx eax, word ptr [esp+1Ah]4_2_004539FC
          Source: global trafficDNS query: name: abass.ir
          Source: global trafficTCP traffic: 192.168.2.2:49158 -> 87.236.213.195:80
          Source: global trafficTCP traffic: 192.168.2.2:49158 -> 87.236.213.195:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49159 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49159 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49159 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49159 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.2:49160 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49160 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49160 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.2:49160 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49161 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49161 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49161 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49161 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49161
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49162 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49162 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49162 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49162 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49162
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49163 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49163 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49163 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49163 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49163
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49164 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49164 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49164 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49164 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49164
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49165 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49165 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49165 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49165 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49165
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49166 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49166 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49166 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49166 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49166
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49167 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49167 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49167 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49167 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49167
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49168 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49168 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49168 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49168 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49168
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49169 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49169 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49169 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49169 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49169
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49170 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49170 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49170 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49170 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49170
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49171 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49171 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49171 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49171 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49171
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49172 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49172 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49172 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49172 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49172
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49173 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49173 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49173 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49173 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49173
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49174 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49174 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49174 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49174 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49174
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49175 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49175 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49175 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49175 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49175
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49176 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49176 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49176 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49176 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49176
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49177 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49177 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49177 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49177 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49177
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49178 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49178 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49178 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49178 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49178
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49179 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49179 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49179 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49179 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49179
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49180 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49180 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49180 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49180 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49180
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49181 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49181 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49181 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49181 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49181
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49182 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49182 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49182 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49182 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49182
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49183 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49183 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49183 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49183 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49183
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49184 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49184 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49184 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49184 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49184
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49185 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49185 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49185 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49185 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49185
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49186 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49186 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49186 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49186 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49186
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49187 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49187 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49187 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49187 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49187
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49188 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49188 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49188 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49188 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49188
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49189 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49189 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49189 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49189 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49189
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49190 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49190 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49190 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49190 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49190
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49191 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49191 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49191 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49191 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49191
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49192 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49192 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49192 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49192 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49192
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49193 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49193 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49193 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49193 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49193
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49194 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49194 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49194 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49194 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 87.236.213.195:80 -> 192.168.2.2:49194
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.2:49195 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.2:49195 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.2:49195 -> 87.236.213.195:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.2:49195 -> 87.236.213.195:80
          Source: Traffic