General
-
Target
PURCHASE ORDER NO_2807.xlsx
-
Size
672KB
-
Sample
210728-297vhbpkfe
-
MD5
2902877e609d74de1bbdc56c23aabcb1
-
SHA1
f07665cce2f3ac96345aa0d00a0562572eb8e496
-
SHA256
8a80b6705686eaae47aba889cdf519403bb009f0e2c74432b1afad406a12522f
-
SHA512
3b0fbb6e97a516b9d02302f0444d6e53a973281fa3d19c390e5b6db2c3d7ab3773db76f202b0f91ed2cc58100cdc750d98b0c8db2c11eba4029999bbd86d1599
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER NO_2807.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PURCHASE ORDER NO_2807.xlsx
Resource
win10v20210410
Malware Config
Extracted
lokibot
http://arku.xyz/tkrr/T1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
PURCHASE ORDER NO_2807.xlsx
-
Size
672KB
-
MD5
2902877e609d74de1bbdc56c23aabcb1
-
SHA1
f07665cce2f3ac96345aa0d00a0562572eb8e496
-
SHA256
8a80b6705686eaae47aba889cdf519403bb009f0e2c74432b1afad406a12522f
-
SHA512
3b0fbb6e97a516b9d02302f0444d6e53a973281fa3d19c390e5b6db2c3d7ab3773db76f202b0f91ed2cc58100cdc750d98b0c8db2c11eba4029999bbd86d1599
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-