General
-
Target
PO – 211-2021-M-0280 0281e.xlsx
-
Size
2.3MB
-
Sample
210114-lkgtg1fsfj
-
MD5
484385066d88e28b48f80db24e848bd0
-
SHA1
95040022636d3926ff4835a9d491870338a084ca
-
SHA256
b7ab6beac68ee70c13d1f631c5aa82b2ab7d286e3702054032c3046336996cf8
-
SHA512
99d244d4ff12d812ef836287f5ef1ea4f27b8dc29ad9e7cf1e93e1f24f3a153396c22388373f132c811d7523ef49765777e9c433f51fd6b412826719b39a2f89
Static task
static1
Behavioral task
behavioral1
Sample
PO – 211-2021-M-0280 0281e.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO – 211-2021-M-0280 0281e.xlsx
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://paciflxinc.com/zoro/zoro2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
PO – 211-2021-M-0280 0281e.xlsx
-
Size
2.3MB
-
MD5
484385066d88e28b48f80db24e848bd0
-
SHA1
95040022636d3926ff4835a9d491870338a084ca
-
SHA256
b7ab6beac68ee70c13d1f631c5aa82b2ab7d286e3702054032c3046336996cf8
-
SHA512
99d244d4ff12d812ef836287f5ef1ea4f27b8dc29ad9e7cf1e93e1f24f3a153396c22388373f132c811d7523ef49765777e9c433f51fd6b412826719b39a2f89
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-