General
-
Target
HSBC Payment copy.xlsx
-
Size
2.1MB
-
Sample
210122-vlywnpctra
-
MD5
4202a6f44d40ec7811ac7fa371360f62
-
SHA1
53b5dc8875711fc8782a5e688125489a0596ab4f
-
SHA256
c1846570bb0f165cbf376b88cf51fd8bc54dd055facdd992e8c7e0c28cbc238a
-
SHA512
a1d8865d45f9217d7015705b9ce7d41b3f4d342b9f573c4468f469591bea1d02675e958b3cd27fb31126ebfddb5bee0f7fdb170c8333249ae02743e17b4ace3f
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Payment copy.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
HSBC Payment copy.xlsx
Resource
win10v20201028
Malware Config
Extracted
lokibot
http://zunlen.com/chief/jojo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
HSBC Payment copy.xlsx
-
Size
2.1MB
-
MD5
4202a6f44d40ec7811ac7fa371360f62
-
SHA1
53b5dc8875711fc8782a5e688125489a0596ab4f
-
SHA256
c1846570bb0f165cbf376b88cf51fd8bc54dd055facdd992e8c7e0c28cbc238a
-
SHA512
a1d8865d45f9217d7015705b9ce7d41b3f4d342b9f573c4468f469591bea1d02675e958b3cd27fb31126ebfddb5bee0f7fdb170c8333249ae02743e17b4ace3f
Score10/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-