General
-
Target
New Order List 16092021.xlsx
-
Size
590KB
-
Sample
210915-gy5vesdadm
-
MD5
4a1d13469a6c817242e8b567bf34ab9a
-
SHA1
a0d54f6c1205defad5f31cadf3393880e7c4c862
-
SHA256
65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
-
SHA512
a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8
Static task
static1
Behavioral task
behavioral1
Sample
New Order List 16092021.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
New Order List 16092021.xlsx
Resource
win10-en
Malware Config
Extracted
lokibot
http://136.243.159.53/~element/page.php?id=475
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
New Order List 16092021.xlsx
-
Size
590KB
-
MD5
4a1d13469a6c817242e8b567bf34ab9a
-
SHA1
a0d54f6c1205defad5f31cadf3393880e7c4c862
-
SHA256
65514d1bcd58f206fbc6339c7893a4dc5fb3e7de39177038eac73906ec5c622c
-
SHA512
a89649b90fe5900f3a014d84cee247df5ee514066bc2b58b968eea203d5290db6964aa5e6f5169cd4830121b0044c620c55db1089bb6c73c1af18f7a82729bf8
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-