Rewterz Threat Advisory – CVE-2021-20026 – SonicWall NSM On-Prem Command Execution
May 31, 2021Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
May 31, 2021Rewterz Threat Advisory – CVE-2021-20026 – SonicWall NSM On-Prem Command Execution
May 31, 2021Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
May 31, 2021Severity
Medium
Analysis Summary
LokiBot is an obfuscated credential stealer targeting the Windows platform. Variants of LokiBot are packaged as either an NSIS installer, Visual Basic executable, AutoIt executable, UPX executable, or a .NET C# executable. These files obtain persistence and check for signs of virtual machines, debugging, and antivirus software before executing the final payload.
Impact
- Memory Corruption
Indicators of Compromise
MD5
- 88c3a4360d8b5682cbe1264f48daddf5
- ef9db752a7050e872f4b191688fc3a43
- 31ea420cf590a09f3639ed320d8de2fc
- e476ae03ce3064db26bf841409de129b
- 52af0ff93f64a6e9854dcd14728e0f2f
- 9187aa3b82ea7a2681e7b19ca399dac8
- 3f5a9ed79c856baa7e313cc49ef1c8b7
SHA-256
- ab485fe083782333ffb0e112304d71ada2886aa9019648cfc75e20859efc9788
- a34e287e0ec43874d156fd0698245e6e1ac8ba3a1dfd76b36391b8f50da3c79f
- 1599931cfd3ac42c9212930c76ad320d6a412e2e41ee00a404e073a43b54a68a
- 7bedfd941d0a8d44fed08f9d2b9c8c5fcf1964815f15f5b6678d20450186c775
- 0ea31b7a05443d4f2e26e1fbe4a7c57145d04773bd242d229959e4c6fe1cfabd
- 974314193454a0c758f708f97d243fe305ccfdd67123aee5a9f06665b010f64b
- 187bc0f0fdc445688faf671128602e23646c2f4ec34af222c83b670dd683c10b
- 545d91d0fa9d424cbddc3bc1be11eb0bdceb35859faf712cc156f93b6c99a22d
- 829d01a7fff61dada0317cb525dde4cb047338d534ac33ce6c6dadc33b3792b5
- f87996a3c60c353c55b058cf87d59e6f67a705c2b2e8e211889cc3c10a9af093
- daf6f9b67ea62d6171e0aef2db7b028a5b2bb441bb8cc67772f9a08f4f2f8410
- fc64facf22c697d82bfcf3675df22570367c0c65f9a4998edaa73d90f67c719f
SHA1
- 443070533f954a327d05db1c24c2d45f828308e1
- dea04ee77cc51b03400450f80b0f4b780fa8dbb4
- 319f73ee5cc10659d861c40fabb74d9b6aca805d
- d7bda61cc36e7631e86fc8af7899a5e0981f3586
- 10079875beb83b4c9326a05fe894ae45a258deb8
- 68b284e0f7fe138c8f8d6bab2ed7526387259159
- 1315e8e1241e31de0a698b707a84149d9c667183
Remediation
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP-based IoCs.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution with attachments and links in emails.