General
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
427KB
-
Sample
210503-napamy3as2
-
MD5
56bd48b55b18b3b9322d394029e5311c
-
SHA1
564712776b933e50599e21a7712f67f4bf5bf148
-
SHA256
6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
-
SHA512
f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-EB200-PLOO1_Bidding.pdf.exe
Resource
win7v20210410
Malware Config
Extracted
lokibot
http://104.168.175.179/ghost1/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
RFQ-EB200-PLOO1_Bidding.pdf.exe
-
Size
427KB
-
MD5
56bd48b55b18b3b9322d394029e5311c
-
SHA1
564712776b933e50599e21a7712f67f4bf5bf148
-
SHA256
6bbe3f13f623b476bab2f6e0c38b47c9e05f73cec099246afa6edfd3eb30b32f
-
SHA512
f6d9851c6d3eac49040214a895d654449bbb1d8fd18faa44abd57cc4660d55b769d86cab1a6ce07295a116e171337e30aac89f7ffe81c6ea0db94809c7cc7b06
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-