General
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
428KB
-
Sample
210503-ffd5q1lwhx
-
MD5
0b1c21615413f0177e744c3085ff4316
-
SHA1
50d5ec35d24a91d0f374d52b4074ff4683808b05
-
SHA256
2c79441587c24d3a87a2fb4ce636bbb2213853dcaa4d8cadcf5613c56d0df3b2
-
SHA512
7efd643cb83c53e61bd8882e986d4c4c0d8ac58d28167d2f8784440b2069c8a0792720a532e7e266e4d24502ef495386f544c4c2f0e9a64685254a4c7e6dbdb4
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-EB200-PLOO1_Bidding.pdf.exe
Resource
win7v20210408
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
428KB
-
MD5
0b1c21615413f0177e744c3085ff4316
-
SHA1
50d5ec35d24a91d0f374d52b4074ff4683808b05
-
SHA256
2c79441587c24d3a87a2fb4ce636bbb2213853dcaa4d8cadcf5613c56d0df3b2
-
SHA512
7efd643cb83c53e61bd8882e986d4c4c0d8ac58d28167d2f8784440b2069c8a0792720a532e7e266e4d24502ef495386f544c4c2f0e9a64685254a4c7e6dbdb4
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-