General
-
Target
print PO#6321023.docx
-
Size
10KB
-
Sample
210604-zwa9qy7lbn
-
MD5
3eb620f82132d7715cde30887fa24ed5
-
SHA1
cf9fe04fa0e778e800e2e9bd681e831a95af1e09
-
SHA256
07ffbabb575117c731872d2d6cda388f2343fdee55d700f8357263a48c0edabc
-
SHA512
32d48ec3545c0384e35fcf168342e15ace224c45032548ae3375a379baa18a2b090380f17ca2a5326b62f592c3de3dc6d6f48cd3c70ca1293dd72f80a7d522c6
Static task
static1
Behavioral task
behavioral1
Sample
print PO#6321023.docx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
print PO#6321023.docx
Resource
win10v20210410
Malware Config
Extracted
http://bit.do/fQXx8
Extracted
lokibot
http://173.208.204.37/k.php/mvM4bZPtu0I2s
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
print PO#6321023.docx
-
Size
10KB
-
MD5
3eb620f82132d7715cde30887fa24ed5
-
SHA1
cf9fe04fa0e778e800e2e9bd681e831a95af1e09
-
SHA256
07ffbabb575117c731872d2d6cda388f2343fdee55d700f8357263a48c0edabc
-
SHA512
32d48ec3545c0384e35fcf168342e15ace224c45032548ae3375a379baa18a2b090380f17ca2a5326b62f592c3de3dc6d6f48cd3c70ca1293dd72f80a7d522c6
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-