General
-
Target
Proof_of_Payment_2020112.xlsx
-
Size
2.0MB
-
Sample
210122-3f7xf51pga
-
MD5
153d89ab5de4c8d7283531e179bc4db0
-
SHA1
ab2948d1dfae6c4a29241dd5c4abe261b5dd0c20
-
SHA256
f4033e5baff349334f140f3560640157f8753543576b64e8254f0523c28d1051
-
SHA512
eec417abf49cb12ebb340046d1b1394dd8d0ea4ed49c29b50131de4444a3f99b86dbf99fe87f382541a9eb724f1ea97a0cf5d3cfd738de13c81444718fe8d6c6
Static task
static1
Behavioral task
behavioral1
Sample
Proof_of_Payment_2020112.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Proof_of_Payment_2020112.xlsx
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://becharnise.ir/fa11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Proof_of_Payment_2020112.xlsx
-
Size
2.0MB
-
MD5
153d89ab5de4c8d7283531e179bc4db0
-
SHA1
ab2948d1dfae6c4a29241dd5c4abe261b5dd0c20
-
SHA256
f4033e5baff349334f140f3560640157f8753543576b64e8254f0523c28d1051
-
SHA512
eec417abf49cb12ebb340046d1b1394dd8d0ea4ed49c29b50131de4444a3f99b86dbf99fe87f382541a9eb724f1ea97a0cf5d3cfd738de13c81444718fe8d6c6
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-