General
-
Target
Outstanding Payments.xlsx
-
Size
259KB
-
Sample
211025-gca3xsgefm
-
MD5
edb2b17df86905c54d464a20352ff7f3
-
SHA1
0a40e5e0266942cdca55380a69e8287b9e6f43d8
-
SHA256
2005c36e4d566d616419607144f8d30b9da978428698d1bed3911da92fd37382
-
SHA512
06ac3d2ada5b7b97c4a4f43511b8d93cd766941c0bbcc807450b2abae555dc2e353d03c7ee0f01c4c859c87ea1f7abb10f006098ba05b0c41c00345cdcb3dfd8
Static task
static1
Behavioral task
behavioral1
Sample
Outstanding Payments.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Outstanding Payments.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=386869
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Outstanding Payments.xlsx
-
Size
259KB
-
MD5
edb2b17df86905c54d464a20352ff7f3
-
SHA1
0a40e5e0266942cdca55380a69e8287b9e6f43d8
-
SHA256
2005c36e4d566d616419607144f8d30b9da978428698d1bed3911da92fd37382
-
SHA512
06ac3d2ada5b7b97c4a4f43511b8d93cd766941c0bbcc807450b2abae555dc2e353d03c7ee0f01c4c859c87ea1f7abb10f006098ba05b0c41c00345cdcb3dfd8
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-