Overview

overview

10

Static

static

8

lokibot.doc

windows7_x64

10

lokibot.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lokibot.doc.zip

  • Size

    2.2MB

  • Sample

    210314-f1nalaqzha

  • MD5

    ab32d4c4901ac6f60b48a92b486290ec

  • SHA1

    7dcdd8b33c81d57f913ab63824b06349a4a42c25

  • SHA256

    d7bf92f0d786e8e83d58ea0925a6c8619f08d2e823717953cdebcc1ee716e3e7

  • SHA512

    32accf33bd0e8bf449fa6d29433bddbf6591c89ce69e91901e0b433f9faf8e09b5202a68015fb314bea1a14259bf46d121b375eafe7c31e00c940a8c39d1e1df

Score
10/10
remcosmacromacro_on_actionrat

Malware Config

Extracted

Family

remcos

C2

eventsbypearce.host:2580

Targets

    • Target

      lokibot.doc

    • Size

      3.6MB

    • MD5

      344bd19acdaf2557abdb66a2c88a3680

    • SHA1

      0aa0a31b77e26a71e1e35081bbc6cfbe245f4241

    • SHA256

      2ec1e4844941e4fb73e64732da4d6eede18abf02ec70ae9a2e97d3e2b9ca51fc

    • SHA512

      d9d4e7870113576a54ab30543989a3b7856ba35b8f377f7f1d098eb7e37b2dac2910c20bab0d42d296ff79235976030bab62003cff4b26b62a3df5dda9f222a6

    Score
    10/10
    remcosrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks