General
-
Target
AMOUNT RECIEPT.doc.xlsx
-
Size
1.2MB
-
Sample
210728-yysp5954aj
-
MD5
a746a19a87ba1b76b2e453c0ac7131e9
-
SHA1
893dba0bd9b59d313207c3e91711988271306a8d
-
SHA256
a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298
-
SHA512
f2ce5fa31859d2d4b9ba25cc29333eace054e58b5fae466fe3561137b6081a82c61dbce00e1cb0561b6e66f5934cbf517442a572563b0bf72c160c5e1b9dccec
Static task
static1
Behavioral task
behavioral1
Sample
AMOUNT RECIEPT.doc.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
AMOUNT RECIEPT.doc.xlsx
Resource
win10v20210408
Malware Config
Extracted
lokibot
http://185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
AMOUNT RECIEPT.doc.xlsx
-
Size
1.2MB
-
MD5
a746a19a87ba1b76b2e453c0ac7131e9
-
SHA1
893dba0bd9b59d313207c3e91711988271306a8d
-
SHA256
a60f5da18b43cee8b11581668df2284a37361f16f1994f21e2c9dab8e48f8298
-
SHA512
f2ce5fa31859d2d4b9ba25cc29333eace054e58b5fae466fe3561137b6081a82c61dbce00e1cb0561b6e66f5934cbf517442a572563b0bf72c160c5e1b9dccec
-
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-