General
-
Target
mslog.xlsx
-
Size
443KB
-
Sample
211028-mpc1yafhdp
-
MD5
c4fef59db8ea4e3545ff2642accddc32
-
SHA1
5a3f9660eff6141f622370893d8c0e9b2259fe33
-
SHA256
67c4d07b201aec241072cc7d159e8bb7bd126b28a6f666fd1273cc17a8f3be92
-
SHA512
8ce33194e6bebe3f1bebd164174cf7c9fed0e5ccea07c325375c33ab53e6be39375e47a12b28162d570da758a44735adcb263e6f4ed96b87891e2a5be7fe7051
Static task
static1
Behavioral task
behavioral1
Sample
mslog.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
mslog.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=9099522
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
mslog.xlsx
-
Size
443KB
-
MD5
c4fef59db8ea4e3545ff2642accddc32
-
SHA1
5a3f9660eff6141f622370893d8c0e9b2259fe33
-
SHA256
67c4d07b201aec241072cc7d159e8bb7bd126b28a6f666fd1273cc17a8f3be92
-
SHA512
8ce33194e6bebe3f1bebd164174cf7c9fed0e5ccea07c325375c33ab53e6be39375e47a12b28162d570da758a44735adcb263e6f4ed96b87891e2a5be7fe7051
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-