General
-
Target
SHIPPING DOCUMENTS.xlsx
-
Size
341KB
-
Sample
211025-htsvqsgfeq
-
MD5
1cc2be0529c2600fc3d6eb75dad2af03
-
SHA1
9018c5690544ca97f2483f4ac3964fc9e71bf17a
-
SHA256
b6415b60ebf75771831a1b27491970775a0483633a266c3a2508ad2035f8c838
-
SHA512
d6e0569fb88c8051b6ec793f9aaeef5dc1f2d8feb47d7d6ef3adb177d589554e82a55decefcc57716b1a032003814a3a7a88fe2d94bb01fcb9f32011d5815d60
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://secure01-redirect.net/fd3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SHIPPING DOCUMENTS.xlsx
-
Size
341KB
-
MD5
1cc2be0529c2600fc3d6eb75dad2af03
-
SHA1
9018c5690544ca97f2483f4ac3964fc9e71bf17a
-
SHA256
b6415b60ebf75771831a1b27491970775a0483633a266c3a2508ad2035f8c838
-
SHA512
d6e0569fb88c8051b6ec793f9aaeef5dc1f2d8feb47d7d6ef3adb177d589554e82a55decefcc57716b1a032003814a3a7a88fe2d94bb01fcb9f32011d5815d60
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-