General
-
Target
Arrival notice.xlsx
-
Size
1.3MB
-
Sample
210727-jmevjw5bs2
-
MD5
0274a495e9ef20a4b3bfd274695d79b7
-
SHA1
90c81259b0c08ece4698d440cbbb9dd5add9a4b7
-
SHA256
9aea6342f41054eab27667160a40eada41c346b75cd2d31977f6d65d63c00fa3
-
SHA512
87a0da0ccc539a64aa57d8feef8d76a4a55d3a8771428d52bfa7dcc8a081b23087cc01e6f6a322b6d378d3bce7378634ee5fdb28262606c0a1427898befa2b26
Static task
static1
Behavioral task
behavioral1
Sample
Arrival notice.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Arrival notice.xlsx
Resource
win10v20210410
Malware Config
Extracted
lokibot
http://manvim.co/fd5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Arrival notice.xlsx
-
Size
1.3MB
-
MD5
0274a495e9ef20a4b3bfd274695d79b7
-
SHA1
90c81259b0c08ece4698d440cbbb9dd5add9a4b7
-
SHA256
9aea6342f41054eab27667160a40eada41c346b75cd2d31977f6d65d63c00fa3
-
SHA512
87a0da0ccc539a64aa57d8feef8d76a4a55d3a8771428d52bfa7dcc8a081b23087cc01e6f6a322b6d378d3bce7378634ee5fdb28262606c0a1427898befa2b26
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-