General
-
Target
Purchase Order # PO211021-01.docx
-
Size
10KB
-
Sample
211022-csyrpsbhfl
-
MD5
1b5c8e1ab3d91e363526c423f961c01f
-
SHA1
a2e06479ad17e518d180896fd458f4523741540d
-
SHA256
517af664cfadc897195445bd52929627257460831a2386df0bf2b064fa502c71
-
SHA512
2725420b6313f55c1a5fca465a16002b0ebf02d76b382daa552b3c3f0fba80eebbf47692fe29e1077fac277125d68d0fdf0441397a288914e914dc8fbc071562
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order # PO211021-01.docx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Purchase Order # PO211021-01.docx
Resource
win7-de-20211014
Behavioral task
behavioral3
Sample
Purchase Order # PO211021-01.docx
Resource
win11
Behavioral task
behavioral4
Sample
Purchase Order # PO211021-01.docx
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
Purchase Order # PO211021-01.docx
Resource
win10-de-20210920
Malware Config
Extracted
https://shortclick.com/l
Extracted
lokibot
http://secure01-redirect.net/ga13/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Purchase Order # PO211021-01.docx
-
Size
10KB
-
MD5
1b5c8e1ab3d91e363526c423f961c01f
-
SHA1
a2e06479ad17e518d180896fd458f4523741540d
-
SHA256
517af664cfadc897195445bd52929627257460831a2386df0bf2b064fa502c71
-
SHA512
2725420b6313f55c1a5fca465a16002b0ebf02d76b382daa552b3c3f0fba80eebbf47692fe29e1077fac277125d68d0fdf0441397a288914e914dc8fbc071562
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Sets service image path in registry
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-