Loading ...

Play interactive tourEdit tour

Windows Analysis Report U001P56ybm.exe

Overview

General Information

Sample Name:U001P56ybm.exe
Analysis ID:528740
MD5:969e2ccfcacf3573de922d9bce81e3fd
SHA1:c3dd33a00d4dad9330d0c2dbc0c3b75396c70f8b
SHA256:4a059628d9f56799d68937821b355477502fe0704d41a75c372b1c036061d59f
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • U001P56ybm.exe (PID: 4640 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
    • U001P56ybm.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.U001P56ybm.exe.400000.6.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13e78:$s1: http://
        • 0x17633:$s1: http://
        • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13e80:$s2: https://
        • 0x13e78:$f1: http://
        • 0x17633:$f1: http://
        • 0x13e80:$f2: https://
        2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              2.0.U001P56ybm.exe.400000.6.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              Click to see the 82 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: U001P56ybm.exeReversingLabs: Detection: 25%
              Antivirus detection for URL or domainShow sources
              Source: http://194.85.248.167/imt/fre.phpAvira URL Cloud: Label: malware
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dllReversingLabs: Detection: 22%
              Source: 2.0.U001P56ybm.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: wntdll.pdbUGP source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405250
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,0_2_00405C22
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49746
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49747
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49748
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49749
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49750
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49751
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49752
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49755
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49756
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49757
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49758
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49759
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49760
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49761
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49762
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49763
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49765
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49766
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49769
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49770
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49785
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49809
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49813
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49814
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49817
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49818
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49819
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49820
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49821
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49822
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49823
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49825
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49827
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49829
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49833
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49845
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49851
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49855
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49856
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49857
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49858
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49859
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49860
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49861
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49862
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49863
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49865
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49866
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49867
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: U001P56ybm.exe, 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://194.85.248.167/imt/fre.php
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: U001P56ybm.exe, U001P56ybm.exe, 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, U001P56ybm.exe, 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: unknownHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404E07

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKED