General
-
Target
Quotation.xlsx
-
Size
1.2MB
-
Sample
210728-2kdn9cqrke
-
MD5
7d4d448a7d403b6d949868b89edc010d
-
SHA1
99c431853b504296c448035ba44d38426572063a
-
SHA256
e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082
-
SHA512
56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Quotation.xlsx
Resource
win10v20210410
Malware Config
Extracted
lokibot
http://manvim.co/fd14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Quotation.xlsx
-
Size
1.2MB
-
MD5
7d4d448a7d403b6d949868b89edc010d
-
SHA1
99c431853b504296c448035ba44d38426572063a
-
SHA256
e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082
-
SHA512
56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-