General
-
Target
Draft shipping doc CI+PL.xlsx
-
Size
440KB
-
Sample
211029-fp974shcfp
-
MD5
49b9294d382c5809619d7c405bf0469b
-
SHA1
bb31d01a12bd5866cd509603404b243d023f3463
-
SHA256
a3a2ba5b44847a3450d80906eb3c4794de62510854b594104c79456b3cb1bc58
-
SHA512
9e142fe0c9483b87c68b0fc4aa0feae899ab9260d60287902fdb1d2d56b565d795c10a8cf37650a75283750bf5200c84b8d52670fb9b4b20c0680e1099f29085
Static task
static1
Behavioral task
behavioral1
Sample
Draft shipping doc CI+PL.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Draft shipping doc CI+PL.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
lokibot
http://secure01-redirect.net/ga14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Draft shipping doc CI+PL.xlsx
-
Size
440KB
-
MD5
49b9294d382c5809619d7c405bf0469b
-
SHA1
bb31d01a12bd5866cd509603404b243d023f3463
-
SHA256
a3a2ba5b44847a3450d80906eb3c4794de62510854b594104c79456b3cb1bc58
-
SHA512
9e142fe0c9483b87c68b0fc4aa0feae899ab9260d60287902fdb1d2d56b565d795c10a8cf37650a75283750bf5200c84b8d52670fb9b4b20c0680e1099f29085
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-