General
-
Target
TT Copy.doc
-
Size
957KB
-
Sample
210114-elbmjkmqvn
-
MD5
0d1f1658ad83475a2a3ba248f22b511d
-
SHA1
47f8a624486c5b3e689de2613ff2f25fedba8060
-
SHA256
9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
-
SHA512
f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20
Static task
static1
Behavioral task
behavioral1
Sample
TT Copy.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TT Copy.doc
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
TT Copy.doc
-
Size
957KB
-
MD5
0d1f1658ad83475a2a3ba248f22b511d
-
SHA1
47f8a624486c5b3e689de2613ff2f25fedba8060
-
SHA256
9932116b510401de52801ebac79b9e4dac52e3389415c02fb8d861ec39a8156d
-
SHA512
f7c91978949e16cd7ce4d922917d0e8bf69004e77f913d2d8c8f60e5709dbf5b3fb6c88d43c370642e60831ef8f3f9ad2104940ec74d87179f7b78ef1e920b20
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-