General
-
Target
loki.docx
-
Size
10KB
-
Sample
210604-m7mwrt1x3s
-
MD5
b611e891cb9f097c7c357bb2c0e4ead3
-
SHA1
61e6a3ce6886ef59ca7cf23b71a422513cfd0524
-
SHA256
c6354273980658e3a9973b5458893e925f8762b5b3b19a2b520d6ce005953d0b
-
SHA512
2ddb5a6adb03905c2718da662debff309def8a064f2bdb020ec2e05f817d5d793c2c0cbefdfc3fb7fafd40caf6b28709bc116fd387caadce29445e22b39b14e4
Static task
static1
Behavioral task
behavioral1
Sample
loki.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
loki.docx
Resource
win10v20210410
Malware Config
Extracted
http://bit.do/fQWAj
Extracted
lokibot
http://173.208.204.37/k.php/mvM4bZPtu0I2s
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
loki.docx
-
Size
10KB
-
MD5
b611e891cb9f097c7c357bb2c0e4ead3
-
SHA1
61e6a3ce6886ef59ca7cf23b71a422513cfd0524
-
SHA256
c6354273980658e3a9973b5458893e925f8762b5b3b19a2b520d6ce005953d0b
-
SHA512
2ddb5a6adb03905c2718da662debff309def8a064f2bdb020ec2e05f817d5d793c2c0cbefdfc3fb7fafd40caf6b28709bc116fd387caadce29445e22b39b14e4
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-