General
-
Target
USD_Overdue Payment Schedule.xls
-
Size
335KB
-
Sample
210121-3bd2cef9qx
-
MD5
1fac3e86ffe8869e8ad09c2402bed823
-
SHA1
ff278c78160f967cd7b2e7446ed609f6b2bc69ba
-
SHA256
cf92772879795211f5ec41488fc4e7ec6932c047b0941f56eee5208be702040f
-
SHA512
d081765012d56a30aa72f233fa7c8b8ccd8eecd6350e7406e82585e710ccaed029f6d06a9481825b7e10bf8b793e69bd5a40b31ad1df6478c49126934e0cd8ae
Malware Config
Extracted
lokibot
http://104.223.170.100/pgoldie/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
USD_Overdue Payment Schedule.xls
-
Size
335KB
-
MD5
1fac3e86ffe8869e8ad09c2402bed823
-
SHA1
ff278c78160f967cd7b2e7446ed609f6b2bc69ba
-
SHA256
cf92772879795211f5ec41488fc4e7ec6932c047b0941f56eee5208be702040f
-
SHA512
d081765012d56a30aa72f233fa7c8b8ccd8eecd6350e7406e82585e710ccaed029f6d06a9481825b7e10bf8b793e69bd5a40b31ad1df6478c49126934e0cd8ae
Score10/10-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage
-
Executes dropped EXE
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-